The Operating software; Android OS, the Android play store provides developers the opportunity to develop a range of applications. One of the most striking features of the Android app system is the innate security features; designed in a way that allows a developer to build a working app on the pre-existing system without having to make difficult security decisions. Some of the most commonly stored data on devices include:
• Cookies
• Location data
• Device name, network connection name etc.
• Personal information of the user such as DoB, Credit Card info, address etc.
• Application data:
1. Stored Application Logs
2. Transaction history
3. Information to debug
4. Cached application messages
One of the most striking and common Mobile security concerns for Android applications is the possibility of accessibility of pre-existing saved data on the phone by other applications. Essentially, there are three ways of saving data on an Android and they are external, internal and content providers. However, with each method of saving data; testing Android app shows that all have their relevant drawbacks.
External storage in android app testing:
Developers are aware that most Android users use external storage options such as SD cards to store their data; because external storage options can not only be removed and modified by the user but also by any application. Application developers need to determine what storage options they wish to utilize. The selection of the storage option is vastly dependant on the level of sensitivity of the data the application collects and stores. It is, therefore, an important mobile phone security tips for mobile users to not store any sensitive data on such external storage cards.
Not only this but another important social security tips is to take measures to protect data on such cards, so other malicious applications cannot access it without proper authentication. Androids apps testing have revealed that one of the most common security problems is the lack of sufficient input validation when it comes to applications. The OWASP testing manual checklist puts actively sufficient input validation as an absolute essential. Though the Android platform has introduced platform level counter-measures, using native code could still introduce a potential security risk.
Internal storage in OWASP testing:
Internal storage is simply the androids internal storage. It is the android setting by default for files created using internal storage to be accessible only by said applications. OWASP testing manual – Android data testing fundamentals proves that it is due to the lack of limitations on access to internal data by applications that most cyber security tips swear by using content provider as a safe data storage option.
Content Provider in Android testing:
Content provider basically allows the application access data stored by itself, other applications and enable to share data with other applications with ease. This option of saving data provides all the relevant safeguards and set parameters that ensure mechanisms vital for ensuring data security.
When using content provider, the application is given the option of specifying of either using single permission for writing and reading or a distinct permissions for reading and writing. It is a data storage fundamental to set a signature as a data safeguard when sharing data between one’s own applications.
In addition to the above mentioned precautions, in order to avoid potential SQL injection from attackers it is important to employ parameterised query method such as:
In accordance to the OWASP testing manual a developer mist look at an in-depth analysis of the positives and drawbacks of each storage method.
Advantages and disadvantages of each in Andorid Apps testing:
Conclusion:
The OWASP testing guide seeks to gauge all storage options when testing data storage in Android applications. In the wake of recent attacks, it is important for application developers to know what information is stored in a user’s phone and what permissions are required. Risky permission controls without sufficiently server side controls; there is, potentially, the risk of leak of sensitive information such passwords and social security information but also damage the basic functionality of the operating software.
The risks posed not only stem from data storage method an application used by also weak server side controls. It is very simple; the simple risk to your data could be posed by installing an application that uses servers that don’t have proper security measures in place to prevent unauthorised access to data. Therefore, it is important to know what applications you have and what permissions they are being granted, more often than not, data collected is sold to third parties without informed consent.