DEV Community

Cover image for Android Security Tips
Julio Merlo
Julio Merlo

Posted on

Android Security Tips

Android has the largest global community and gives users more flexibility to install not certificate applications from the official store.

That means you have more vulnerability in your security, to improve your application security. I recommend adding some layers to enhance the safety of the application you will make.

Content

Prevent Screenshot | ScreenRecord

For screenshots or screen record disable, you need to import the WindowManager and add this line to the MainActivity file.

import android.view.WindowManager;
...

getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);
Enter fullscreen mode Exit fullscreen mode

Inappropriate Usage Of The Platform

If your app won't be doing more processes or need much RAM, you need to delete these properties from your AndroidManifest.xml you should use it only when you know exactly where all your memory is being allocated and why it must be retained.

<application
...
"android:largeHeap="true"
...
Enter fullscreen mode Exit fullscreen mode

You can read more about this on the official documentation

Exception Domains

Allowing http for some domains but not other domains you must provide Network Security Config File. For these go to the folder where other xml file are ../res/xml and create a file network_security_config.xml

<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <!-- Development Domains -->
        <domain includeSubdomains="true">10.0.1.1</domain>
        <domain includeSubdomains="true">localhost</domain>
        ... 
    </domain-config>
    <domain-config cleartextTrafficPermitted="false">
        <!-- Api Services Domains -->
        <domain includeSubdomains="true">testdomain.com</domain>
        ...
    </domain-config>
</network-security-config>
Enter fullscreen mode Exit fullscreen mode

and then add these property in the AndroidManifest.xml to reference the network config just create above.

...
<application
...
android:networkSecurityConfig="@xml/network_security_config"
....
Enter fullscreen mode Exit fullscreen mode

For more information and configuration documentation

Reverse Engineer

In this case, the Reverse Engineer is used to verify if your code is optimized and compressed, but you can use it for whatever purpose you need, check malicious code, analyze apps or just for fun. If you don't see a compressed code or minied thats mean you need to enable the property in the ..app/build.gradle. Remember that when you enable this approach, you need to add the rules that author of third packages you use, to the proguard-rules.pro and check those rules don't break your app.

Reverse an .apk steps:

  1. Rename your .apk file and add .zip at the end.
  2. Extract the content. When you extract, you will have all the code, classes and many other things.
  3. Download the tool dex2jar and place it in the same folder you extract the apk link
  4. Open a Terminal where your files are located and then run the following command on your terminal

    d2j-dex2jar.bat classes.dex
    
  5. Download the tool Java Decompiler link

  6. Last but not least, open the previous download program Java Decompiler and open the file located in the extracted apk folder classes-dex2jar.jar. If you see your code minified πŸ₯³ you got it!. The obfuscation process was successful πŸ”₯.

Obfuscated vs No Obfuscated

Top comments (0)