Apr 6, 2012

Android Application Security, How should we handle ?

Android platform fast becoming very popular between users and a target of malicious hackers as well. Therefore, Application security is very critical. Application security is how your context are secure. Many Apps have access to important information and data related to the user. Therefore, it's very important to protect these data from other malicious Apps.

Android system is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. Well, that means everything is fine!!?? Wrong!

While each application runs in its own UNIX UID, sharing can occur through application-level interactions. Interaction based on components like Activity, service, content provider and Broadcast receiver, where an Activity represents a user interface or a screen, service represents the background processing, Content provider provides a standardized interface for sharing data, and Broadcast receivers are intents handler, where intents are objects used for inter-component communication.
Therefore, you need as a developer to be aware of how much data other Apps can access from your App.
Here are some important things in terms of security and permissions that you may need to consider when developing your App:

1) android:sharedUserId (in AndroidManifest.xml) :

The name of a Linux user ID that will be shared with other applications. By default, Android assigns each application its own unique user ID. However, if this attribute is set to the same value for two or more applications, they will all share the same ID. Application with the same user ID can access each other's data and, if desired, run in the same process.

2) Determining the permission of a created file:

When you create a file using for example openFileoutput() method, the created file will be Private to your App by default, but you can change this permission as desired using:

- MODE_PRIVATE : the default mode, where the created file can only be accessed by the calling application (or all applications sharing the same user ID).
- MODE_WORLD_READABLE: allow all other applications to have read access to the created file.
- MODE_WORLD_WRITEABLE: allow all other applications to have write access to the created file.

3) The same idea is applied when you create a new data base:

SQLiteDatabase myDB = openOrCreateDatabase("test",MODE_WORLD_READABLE, null);
Here, the data base is readable to any other App on the device. Be careful!

4) android:exported (in AndroidManifest.xml) :

Whether or not the activity can be launched by components of other applications — "true" if it can be, and "false" if not. If "false", the activity can be launched only by components of the same application or applications with the same user ID. Best Practice: Always set the “exported” attribute.

1 comment: