Following are requirements which should be met before submitting any APK file to Information security or before publishing app at play store.
Always Use Proguard
Proguard will obfuscate your code. If someone decompiles your code, Your code will be useless. Because proguard will change classes, methods, variables names.
1. Add these lines in build.gradle file to enable proguard.
minifEnabled must be true.
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } debug { minifyEnabled false
} }
2. Configure proguard-rules.pro file in your project
If you are using libraries in your project. Proguard will replace classes or remove classes. And you will get ClassDefNotFoundException.
To avoid this. Add proguard rules in Pro-guard rules.pro file. Check all dependencies in project build.gradle file and add rules for each of them.
I am using volley, mix panel, ACRA, sliding menu, jackson libraries in my project for which I am using below rules.
Example:
-keep class android.support.v4.app.** { *; }
-keep interface android.support.v4.app.** { *; }
-keep class android.support.v7.app.** { *; }
-keep interface android.support.v7.app.** { *; }
-keep class android.support.v13.app.** { *; }
-keep interface android.support.v13.app.** { *; }
-dontwarn android.support.design.**
-keep class android.support.design.** { *; }
-keep interface android.support.design.** { *; }
-keep public class android.support.design.R$* { *; }
#-dontwarn android.support.design.internal.NavigationMenu.**
android.support.design.widget.NavigationView -dontwarn org.apache.http.**
-dontwarn com.mixpanel.**
-dontwarn org.codehaus.jackson.**
-dontwarn org.acra.ErrorReporter.**
-dontwarn com.jeremyfeinstein.slidingmenu.**
-keepnames class com.fasterxml.jackson.** { *; }
-keepclassmembers public final enum org.codehaus.jackson.annotate.JsonAutoDetect$Visibility {
public static final org.codehaus.jackson.annotate.JsonAutoDetect$Visibility *; } -keep class com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes$* { *; }
4. I used allatori for String encryption and for hiding static code blocks in my application. as proguard do not obfuscate Strings so I had to use allotri for that purpose.
5. To avoid Intent Injection
I will explain how to do this later.
6. Remove logs from application before publishing it to play store.
7. Do not allow application to be installed on rooted devices. so that your application sensitive information is not exposed to other apps.
To do this below is code to check if device is rooted or not. finish splash activity or application is below code returns true.
public boolean isRooted() { // get from build info String buildTags = android.os.Build.TAGS; if (buildTags != null && buildTags.contains("test-keys")) { return true; } // check if /system/app/Superuser.apk is present try { File file = new File("/system/app/Superuser.apk"); if (file.exists()) { return true; } } catch (Exception e1) { // ignore } // try executing commands return canExecuteCommand("/system/xbin/which su") || canExecuteCommand("/system/bin/which su") || canExecuteCommand("which su"); } // executes a command on the systemprivate boolean canExecuteCommand(String command) { boolean executedSuccesfully; try { Runtime.getRuntime().exec(command); executedSuccesfully = true; } catch (Exception e) { executedSuccesfully = false; } return executedSuccesfully;}
Always Sign APK before giving it to Information Security team. Do not give APK in debug mode. It should be in release mode.
8. Sensitive information stored in Database and SharedPreferences should be encrypted. Because any one can read this on rooted devices or using different tools they can break APK file and can get all files.
9. compile 'com.scottyab:secure-preferences-lib:0.1.4'
I used above mentioned library for encrypting data stored in sharedPreferences. You can read its documentation for further information. There are many other libraries for SqliteDB and sharedPreferences encryption.
This is proguard rule which I am using for above library. To make sure that it do not obfuscate classes in this library. So my app do not crash.
-keep class com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes$* { *; }
You can check/search proguard rules against other libraries which you are using in your project.
10. Error messages in case of incorrect username/password should be general. We should never tell explicitly if username is not valid or password is not valid.
Further information can be found at below links.
References:
http://developer.android.com/training/articles/security-tips.html
http://developer.android.com/training/best-security.html