Use Encrypted HTTP for Sensitive Data
Use HTTPS, that’s encrypted, rather than HTTP, for all communication when sending or receiving private data or secure data to/from a server. However, these days it’s questionable whether HTTPS is good...
View ArticleKeep Sensitive Information in RAM for a Short Time
For apps that need to be ultra-secure, keep sensitive information in RAM for the minimum time possible by setting it to null after use. This minimises the time over which any malware, memory dump via...
View ArticleTake Care With Encryption
Encryption is complex and difficult to do correctly. A study by Carnegie Mellon and the University of California showed that 88% of Google Play applications using encryption made at least one...
View ArticleUse KeyGenerator with 256 bit AES to Create A Random Key
As mentioned by Google, don’t use SecureRandom on it’s own to create random key as the default implementation changed in Android 4.2 preventing it being used to deterministically generate keys. Instead...
View ArticleStore Your Secret Keys In a Safe Place
It’s a very common error to store keys in code. Columbia University found thousands of secret keys when they analysed apps on the Play store. You shouldn’t think of encryption as hiding secret...
View ArticleEncrypt Your Sensitive Data
Sensitive data should be encrypted even if it’s stored in internal storage protected by the Android sandbox. Internal storage can be accessed, for example, if the device has become rooted and there...
View ArticleOnly Store Non-Sensitive Data or Encrypted Data in External Storage
Data should only be stored in external storage if are happy for it to be openly viewed by device users and other applications. Don’t become a victim like WhatsApp. Only store sensitive in external...
View Article