Android Development

Issue Tracker Android Updates Android Home Home Contact

What is Android Security?

Android security refers to the protection of data and system resources on Android devices. It covers data stored locally on the device, data transmitted over networks, and data stored externally on servers or other devices. The security model includes system-level protections as well as application-level controls to safeguard sensitive information and operations.

Default Android Security Mechanisms

  • Application Sandbox: Each app runs in its own isolated environment.
  • Permission System: Access to sensitive components (camera, location, etc.) is restricted using runtime or manifest permissions.
  • Secure Boot and Verified Boot: Ensure that only verified system images are loaded during boot.
  • File System Encryption: Data at rest is encrypted using File-Based Encryption (FBE).
  • Play Protect: Scans apps for malware and protects against harmful software.

Managing Security for Data Stored on Device

Internal Storage is private to the app and is inaccessible to other apps or users.

External Storage requires permissions and should not be used for sensitive data unless encrypted.

Common Encryption Techniques for On-Device Storage

  • AES (Advanced Encryption Standard): Widely used symmetric encryption method for encrypting files or strings.
  • EncryptedSharedPreferences: Used for securely storing key-value pairs.
  • EncryptedFile: API for reading and writing encrypted files.

// Using EncryptedSharedPreferences
val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .build()

val sharedPreferences = EncryptedSharedPreferences.create(
    context,
    "secure_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

sharedPreferences.edit().putString("token", "encrypted_value").apply()

Best Practices for On-Device Security

  • Use encrypted storage for all sensitive information.
  • Avoid storing passwords; use tokens with limited lifespan.
  • Use biometric or device credentials for access to critical actions.
  • Use internal storage for sensitive data; avoid public directories.

Managing Security for Data in Transit

Data transmitted over the network should be encrypted using strong protocols. This includes API communication, socket connections, and data exchanged via Bluetooth or Wi-Fi.

Best Practices for Data in Transit

  • Use HTTPS (TLS) for all network requests.
  • Verify server certificates to prevent man-in-the-middle attacks.
  • Apply network security configuration to restrict cleartext traffic.
  • Encrypt payloads before transmission if data sensitivity is high.

// Sample network security config (res/xml/network_security_config.xml)
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

Managing Security for Data Stored Outside the Device

When data is stored on remote servers or external devices, the responsibility for encryption and access control extends beyond the device. Authentication, authorization, and secure transmission are critical.

Best Practices for External Data Storage

  • Encrypt data before uploading to external storage.
  • Use strong authentication such as OAuth2 or token-based systems.
  • Implement access control policies based on roles or user scopes.
  • Store data only in secure environments with physical and logical protections.
  • Use backups with encryption to protect against data loss or tampering.