Android Security – Part I: Persisting user credentials

Do you think your mobile apps are secured?

Users are now more aware and suspicious about what apps they install on their devices. And rightly so, since there have been so many cases of rogue apps stealing personal data.

Most developers focus on the security aspects of a mobile application as an after-thought, which might result in an unsecured application. Such apps are the targets of hackers who are constantly trying to reverse-engineer and extract valuable personal user information.

Thus, it is extremely important to design your apps to ensure that you do not expose them to easy and obvious attacks. Also, before release, it is always recommended to go through an external security audit of your application, which should be a must for enterprise and other customer-centric applications that have access to users’ sensitive data.

Obviously, you should not store these data unencrypted, ever. Why? What information could a hacker extract if he has access to your mobile? Your mobile most probably already has a PIN lock or face lock. How can he get past the lock screen?

As a developer, you should always assume that the Android device can be unlocked and then rooted. 

The hacker might as well be your friend who could have knowledge of your PIN. Your phones could be stolen and sold to hackers. You can also be forgetful and leave your phones at airports, theatres, and taxis. All these devices might land up with hackers.

In such circumstances, what can you do to protect your application’s data? Let’s take a very specific example to start with. 

Most of the applications need to save or persist users’ credentials like emails, passwords, access tokens etc.

If possible, you should avoid persisting such sensitive data on the device.

SharedPreferences APIs allow you to save primitive data types as key-value pairs in an XML file. These are XML files located in the sandboxed storage space which is private to your application. Normally, these files cannot be accessed by other applications, and cannot be accessed by developer tools like adb, unless the device is rooted.

But, since we are assuming the worst case scenario, if we are storing any data in plaintext in these SharedPreferences files, an attacker can easily access your application’s data.

You should never store sensitive information unencrypted by using the SharedPreferences APIs.

So, how do you ensure to safeguard the users’ data against attacks? The recommended way to store any sensitive data is by encrypting them. That way, you make it extremely hard for any attacker to extract a user’s private information easily from a device.

Android provides the Android Keystore System which is designed for assisting applications to securely store private data on devices.  It takes care of the following things:

  • Manages an applications keys/key-pairs
  • Carries out the actual encryption/decryption on the application’s behalf
  • Manages authorizations which can limit the use of the stored keys

Once a key material is generated in the Android Keystore, they cannot be extracted from the application process or even from the device.

An application can manage only its own keys in the Android Keystore System. No other application can have access to your application’s keys stored in the Keystore.

When an application is uninstalled, all the keys created by the application is deleted.

Android Keystore System

How does it work?

  1. The application requests the Android Keystore to create a key (symmetric or asymmetric) by specifying various parameters like algorithm, alias, etc.
  2. The Keystore creates the key and stores it for later use.
  3. When required, the application requests a reference to the generated key.
  4. The application passes the data to be encrypted or decrypted to the Android Keystore and specifies which key is to be used.
  5. Android Keystore picks up the correct key from its store, runs cryptographic operations, and returns the decrypted or encrypted data.

In the next post, we will see how to implement this on Android. Stay tuned.

Other posts in this series

1 thought on “Android Security – Part I: Persisting user credentials

  1. Pingback: Android Security – Part II: Android KeyStore and cryptography operations – Techdroid

Leave a Reply