Essentially, when a developer writes code it is the everyday equivalent of writing a letter to the internet, more often than not that letter has the ability to unlock sensitive consumer information that can be exploited if fallen into the wrong hands. Therefore, it is important to have a checklist like OWASP mobile security checklist to refer to. According to the OWASP guide it is important to convert code or encrypt it in a way that it can only be read or decrypted with a key.
Realistically, when we look at the cryptography in Android app, it reveals that such encryption is not only used for data saved by applications on a device but also secure communication between application and server. The OWASP Android cryptography testing manual states that in addition to providing a secure mode of communicating, complete file system encryption is also supported via data isolation but Android also provides a wide range of algorithms to secure data using cryptography. Cryptography techniques for Android include, if applicable, usage of the Google-provided providers that require little to no knowledge of cryptography. Applications may also use a randomly generated number via SecureRandom to full use KeyGenerator. Failure to secure data by using a secure random number generator makes an application privy to offline attacks.
The fact of the matter is an enjoyable android mobile application experience is dependent on the application storing data on said Android device. An application that provides gaming ensures that the player can take off from where they left the game; this is ensured by locally storing data. More importantly – a mobile banking applications stores data in auto fill so as to save the user the hassle of typing in the details again and again. When such sensitive data is stored on the phone, it is essential for the applications to ensure that this data is properly encrypted so as avoid malicious attacks. Not only should data be encrypted on the device itself in accordance to OWASP testing guidelines but it is a vital OWASP cyber security tips to ensure that exchange of data from application to the remote server is encrypted using the public key Infrastructure.
Need for cryptography in Android applications
In the wake of an increase in malicious attacks using loopholes in application code and stealing sensitive data; the need for encryption is essential. Having a through and competitive testing guide is essential – most importantly, cryptography in Android application make it difficult for lurkers to read data stored by the application on said device. Additionally, it also adds another layer of a security blanket to sensitive information that is exchanged between the application and remote servers. Common Man-in-The-Middle (MITM) can be prevented when SSL/TLS protocols are followed properly. Proper validation of server certificate can dramatically decrease the risk of data theft.
Security threats and exploitation
The threat simply is that the server the Android application is using should have the appropriate security measures in place. Through thorough research the most relevant threats include:
• Lack of additional encryption when transmitting data from device to server
• Client side injection meaning the code for the application is stored in the user’s device making it vulnerable to SQL injection attacks simply by changing the code.
• Lack of proper authorization
• Lack of proper sessions handling – ideally when the user is deemed inactive, the server should time-out, requesting for login detail again
• Encryption systems are constantly evolving through trial and error of decryption and detection of vulnerabilities. It is important to ensure the cryptography the Android application Is employing is intact and not yet been broken.
Attackers can use several methods to break employed cryptography. Some of the ways an attack can exploit or break encryption are:
1. SSL vulnerabilities
2. Exploiting transmitted data using MITM
3. Rooting device – If an attacker successfully manages to root device, realistically, they have complete control over the device and all the data stores
4. Exploiting data stored externally by an application. It is widely known the externally stored data can be read universally, if an attacker gets his hand on said data, it can exploit it to gain greater control
Android application cryptography analysis:
A deeper security loop analyses by testing Android applications and cryptography on applications in the PlayStore has revealed that many of the most popular applications have poor encryption in place. An OWASP review of some of the most popular free applications on the play store, most with over a million downloads is privy to both SSL and MITM attacks. Some users testing vulnerabilities were not only able to decrypt due to weak encryption but also modify and gain access to information on a device.
Most applications do not use verified and officially certified servers which make it easier for attacks to attempt server-side attacks, basically, intercepting the transmission of data between application and server.
Conclusions
Whilst an OWASP security testing – Android cryptography manual provides the framework to ensure the security of stored data, sometimes applications use weak encryption methods that put the user privacy in danger. It is, therefore, important for developers seeking to feature applications on the Android Playstore should use competitive security testing methods and guides such as the OWASP testing guide in order to resolve relevant loopholes in the application.