Hello, Developers in this blog I will tell you how you can create a session securely so that no one can hack you. first of all, let me explain to you 100% security never exist every library and encryption logic have some loopholes but try to make your app as secure as its possible. If you are a beginner you can think android is fully secure and we are living is a secure world but your app can easily hack if you don't follow certain rules.
When people realize what security mistakes they have made after reading this article my situation was also the same when I started securing my apps. Now let see some codes on how to implement Security in the android app.
Let's see some default security go to manifest restrict a user to allow backup if there is no need for backup its a feature but it is also a loophole hacker can backup app and play with your data and also set install location internals only so that it can install in internal storage.
in AndroidManifest
android:name=".MyApplication"
android:allowBackup="false"
android:hardwareAccelerated="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:installLocation="internalOnly"
android:theme="@style/AppTheme"
android:usesCleartextTraffic="true">
Lets now come to a little bit more security rules people often save data is shared preferences in android that stores data in XML. Always make sure that your mode is private only. This restricts anyone to interact with your app session data but it has a limitation.
sharedPreferences = context!!.getSharedPreferences("userinfo", Context.MODE_PRIVATE)
the above security rules can fail in the rooted device if the mobile phone is rooted then anyone can backup and see shared preference XML data check whether the device is rooted or not if the device is rooted then you can restrict the user to make a session due to lack of security.you can make a check for rooted mobile. You can get check several methods in StackOverflow.
Wait it's not enough now a normal person cannot hack you but what about a pro one. yes, this is possible in a custom ROM without root backup can be done and shared preference can be read. Let secure it from pro one.
To save your app now you have to use Encryption Because If you are working with API you know we need to save a Session token and all other APIs work when we pass that session token it may be HASH or JWT token you have to save it in session you can save it with various encryption methods in Android. See full detail in this Medium Article-ClickMe
Now if you read about encryption you know there is an encryption key that is generated and you have to save encryption key and encrypted data and when you use that data you have to decrypt that one. This adds very good security in the apps now the only problem is Reverse Engineering there are several tools by which your app can decompile. ApkTool is the famous one for the decryption of android apps and I am talking about some big apps like WhatsApp, Instagram, Facebook that are reversed by this tool. You may have heard about OGyoutube, OGwhatsapp that is the reverse-engineering product of some big apps. In reverse-engineering, you can see the code of the android app to a certain extent and you are saving encryption key and logic can be found by reverse-engineering then data can still be decrypted.
Now Google has announced EncryptedSharedPreference it saves Master key as u can understand as an Encryption key in Android Keystore that is a hardware level security Lets see how to implement it.
implementation "androidx.security:security-crypto:1.0.0-rc01"
Add the below lines in the Gradle version that may change in the near future.
class EncrytedtedHash(internal var context: Context?=null) {
lateinit var masterKeyAlias: String
lateinit var sharedPreferences: SharedPreferences
init {
masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
sharedPreferences = EncryptedSharedPreferences.create(
"encrypted_shared_prefs",
masterKeyAlias,
context!!,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
}
fun Store( data:String){
sharedPreferences.edit().putString("DATA",data).apply()
}
fun Retrive():String?{
var restored = sharedPreferences.getString("DATA","")
return restored
}
}
Above Code, you can use for EncryptedSharedPreference you can simply pass string in Store function and Retrieve that it by retrieve function there is no need to save the key in a string this is good for security purposes This library also in working Phase to know more-ClickMe
There is one more method To use native code to Store key but that is for next blog.
Hops this article will helpful for you to understand security rules and how to implement that