We are living in a different world now compared to 10 years ago. Before, the most important thing for a developer to reach is a working-state for his/her application. The program needs to run without crashing, regardless of what video card, amount of memory, processor clock speed and the storage used in the computer where it is installed. But “working” and “not crashing” is no longer the primary consideration when developing an app today, the basic considerations are “security” and “privacy”. Since the full implementation of the European Union’s GDPR (General Data Protection Regulation), developers’ products need to be compliant with it, including respectful handling of user’s private data. Security and privacy over functionality are the current rules when it comes to the development of apps, regardless if it is for the desktop computer or a mobile device.
Of course, security and privacy can only be assured if the device underwent extensive penetration testing. This usually happens in a corporate setting, IT policy prevents people with unaudited devices from connecting to the corporate Wi-Fi network, while at the same time allows an acceptable level of BYOD for those that choose to undergo and pass auditing procedures. Bringing personal devices to the corporate Wi-Fi network became very common, besides when mobile, users are more comfortable using their personal device than a company-issued one. That level of difference means two things, that unless a pre-audit is done, personal devices may bring problems to the internal network. Secondly, allowing an acceptable level of BYOD cuts costs for the company, as firm-issued devices can be canceled in favor of the personal devices that employees already use on a regular basis.
Penetration testing against Android devices is not yet a mainstream service, in stark contrast with Windows Penetration testing that already reached maturing at the very least since 5-years ago. The app developers are hard pressed to work around any disk space limitations while also providing the environment to be shaped by his/her thoughts as much as possible. Most common routines and unused sprites are used with hesitation. Android is a Linux kernel-based operating system, hence it comes with the territory that extensive logging mechanism is in-place since the day 1 operation of the app. Below are our most recommended checklist in keeping app development in-check in Android:
Clean Account Log-out procedure
Apps may use proprietary login accounts or use a “Login with Facebook” or “Login with Google” option. This is entirely the decision of the developer, creating a login credential system on the app and in the backend requires reinventing of the wheel. From a security standpoint, it is very error prone, while also may introduce vulnerabilities as the developer tries to create a custom system for logging-in. The convenient feature is to just implement the login procedure using the Facebook or Google system. The two companies use tried and tested methodology for user authentication, and both companies are very mature when it comes to their login systems. If there is a security issue later on the responsibility falls to either Facebook or Google and not to the app’s author.
Logs and cache verifier
Android as a Linux Kernel-based operating system inherits the latter’s logging capability. This includes how to prioritize threads, cache policies and writing specific log at a specific area of the storage medium where Android is stored. These logs, more particularly logcat contains important information on how an app operates on top of the Android operating system. That is why when you report a bug for an Android app, the developer usually requests for logcat. It can be extracted by downloading an app in the Google Play Store which can extract the logcat to the user’s device in a text file.
Sandboxing of apps
New Android versions include SELinux feature by default. This helps isolate and sandbox an app from another app. Advanced users who choose to root their devices may decide to disable SELinux in exchange of having more options to customize their custom Android ROM. Apps in Android that are not rooted are sandbox from one another, but enough communication paths are still open for apps to interact with one another still. This is a huge contrast compared to iOS where apps are literally and figuratively isolated from one another.
Penetration testing will be successful against an Android device if the permissions set is in a lenient status. Android starting with version 6.0 Marshmallow and newer exposes an extensive granular user-configurable permissions system, this feature used to be available only in rooted device with previous versions of Android.
Google Play Protect watches over an Android device, automatically scans all installed apps pre and post-installation time. With Google Play Protect, Google is able to update its malware detection list with a newer version on the fly without bothering the user.