🛠 DevSecOps practices for Android

Salute,

Firstly, you and I have a great growth statistic, namely, we already have 200 subscribers. I'm very happy about this. Thank you for monitoring the materials in the channel 🙏

Secondly, today I want to share practical experience with the Android platform and DevSecOps practices for it.

I think this will definitely be useful to you and there will be aspects that you have not paid attention to before. Likewise, you will see some aspects that you may not agree with, but it is still a summary.

Practices for Android

- You should exclude the possibility of storing confidential information in external storage: /sdcard, /mnt/sdcard, etc., since it can be changed or read by another application, including an external device

- When using the ContentProvider class, an access control mechanism must be implemented

- If data exchange with other applications is not required, then you should declare android:exported=”false” in the manifest file

- export for the component must be marked as false in the manifest file, including restricting access to it

- Permission to respond to the calling application should be implemented using the Context.checkCallingPermission() and Context.enforceCallingPermission() methods

- Any URL received via intent outside of the trusted zone must be verified before it is displayed in the WebView

- To prevent the possibility of interception or denial of service, recipients of broadcast intents must be limited, namely:

-- instead of explicit intent, you should use a reference to a specific component using setComponent(ComponentName or class setClass(Context, Class)

-- limit broadcast to one application using the Intent.setPackage() parameter and to a process via Context.sendBroadcast(Intent)

-- after debugging, the android:debuggable attribute should be set to false to prevent the user from debugging the application

-- must be prevented from providing access to the addJavascriptInterface method in the WebView due to suspected malicious content

- The onGeolocationPermissionsShowPrompt() method for geolocation must request permission

- Permissions must be specified in the SDK because output files are created with read permissions by default

- It is necessary to eliminate the use of loopback when processing sensitive data by using HttpsURLConnectionclass or SSLSocketclass

- It is recommended to use App Security Practices from the Android Developers documentation

Overall: if you partially adhere to these methods, then you will be able to reduce a significant number of problems for yourself and your development team, because such a concept sufficiently reduces the level of information security risks for the project/product.

#appsec #devsecops #reco #specialty #pmcases