Security is extremely important, and many security policies such as CCPA , PIPEDA or GDPR have been enacted to guide the built applications to be more secure and protect user data. In this topic we will also explore the supported components in Android to protect user data, basic methods to perform data protection on Android devices. This article will turn over the following methods:
- The permission pop-ups
- Access data from a group of linked applications
- Clear the cache of the application and the browser
- Disable application log printing
- Anti screenshot
- Encrypt personal data
- Protect the source code of the application
- Install biometric protection
The permission pop-ups
Prior to Android 6.0 (Marshmallow) when building an application the permissions for data access, network usage, cameras, recording, sending messages … would be set in AndroidManifest.xml and be asked once. when installing the application. But since Android 6.0 and later this mechanism has changed, the application installation is separate from the process that requires access to external resources. With this mechanism, the request for rights will be performed when running the application at the necessary functions, which makes it easy for users to monitor the permissions they grant the application and its intended use to what.
For example, if an application needs permission to write information to external storage, it will request the permission below in the AndroidManifest.xml file.
1 2 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> uses-permission</span> <span class="token attr-name"><span class="token namespace">android:</span> name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> android.permission.WRITE_EXTERNAL_STORAGE <span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> |
When running the application to the places where we need to use external memory, we will have to check whether or not we have write permission, if so, we can do it, otherwise we must show a pop-up to ask for consent. from the user. If we skip this step and make access to our application will immediately crash.
The verification can be done via the source code below
1 2 3 4 5 6 7 8 | <span class="token keyword">if</span> <span class="token punctuation">(</span> ActivityCompat <span class="token punctuation">.</span> <span class="token function">checkSelfPermission</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">,</span> Manifest <span class="token punctuation">.</span> permission <span class="token punctuation">.</span> WRITE_EXTERNAL_STORAGE <span class="token punctuation">)</span> <span class="token operator">!=</span> PackageManager <span class="token punctuation">.</span> PERMISSION_GRANTED <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">//1</span> <span class="token comment">// No permission, request it</span> ActivityCompat <span class="token punctuation">.</span> <span class="token function">requestPermissions</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">,</span> <span class="token function">arrayOf</span> <span class="token punctuation">(</span> Manifest <span class="token punctuation">.</span> permission <span class="token punctuation">.</span> READ_EXTERNAL_STORAGE <span class="token punctuation">,</span> Manifest <span class="token punctuation">.</span> permission <span class="token punctuation">.</span> READ_EXTERNAL_STORAGE <span class="token punctuation">)</span> <span class="token punctuation">,</span> WRITE_TO_SDCARD <span class="token punctuation">)</span> <span class="token comment">//2</span> <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span> <span class="token comment">// Permission granted</span> <span class="token comment">// Do 3</span> <span class="token punctuation">}</span> |
Through the example we see there are 3 main steps:
- Check permission is granted or not.
- Permission has not been granted, displaying pop-up asking for permission from the user.
- Already have access to perform the desired work.
To get feedback from users when requesting access in step 2, we listen to the following function:
1 2 3 4 5 6 7 8 9 10 11 12 | override fun <span class="token function">onRequestPermissionsResult</span> <span class="token punctuation">(</span> requestCode <span class="token operator">:</span> Int <span class="token punctuation">,</span> permissions <span class="token operator">:</span> Array <span class="token generics function"><span class="token punctuation"><</span> String <span class="token punctuation">></span></span> <span class="token punctuation">,</span> grantResults <span class="token operator">:</span> IntArray <span class="token punctuation">)</span> <span class="token punctuation">{</span> when <span class="token punctuation">(</span> requestCode <span class="token punctuation">)</span> <span class="token punctuation">{</span> WRITE_TO_SDCARD <span class="token operator">-</span> <span class="token operator">></span> <span class="token punctuation">{</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token punctuation">(</span> grantResults <span class="token punctuation">.</span> <span class="token function">isNotEmpty</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token operator">&&</span> grantResults <span class="token punctuation">[</span> <span class="token number">0</span> <span class="token punctuation">]</span> <span class="token operator">==</span> PackageManager <span class="token punctuation">.</span> PERMISSION_GRANTED <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">// Permission was granted</span> <span class="token comment">// Do 3</span> <span class="token punctuation">}</span> <span class="token keyword">return</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> |
Access data from a group of linked applications
Permission can cover most cases of retrieving and receiving data from outside the application. But sometimes we need to transfer data back and forth between the groups of applications we have built.
To do this many people will create files that store them on external memory or create sockets to exchange information with each other. This is really insecure when information can easily be stolen. Instead we can use Intents to send data between applications. Here is an example:
1 2 3 4 5 6 7 | val intent <span class="token operator">=</span> <span class="token function">Intent</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> val packageName <span class="token operator">=</span> <span class="token string">"com.example.app"</span> <span class="token comment">//1</span> val activityClass <span class="token operator">=</span> <span class="token string">"com.example.app.yourActivity"</span> <span class="token comment">// 2</span> intent <span class="token punctuation">.</span> component <span class="token operator">=</span> <span class="token function">ComponentName</span> <span class="token punctuation">(</span> packageName <span class="token punctuation">,</span> activityClass <span class="token punctuation">)</span> intent <span class="token punctuation">.</span> <span class="token function">putExtra</span> <span class="token punctuation">(</span> <span class="token string">"UserInfo"</span> <span class="token punctuation">,</span> <span class="token string">"Example string"</span> <span class="token punctuation">)</span> <span class="token comment">//3</span> <span class="token function">startActivityForResult</span> <span class="token punctuation">(</span> intent <span class="token punctuation">)</span> <span class="token comment">//4</span> |
We see there will be 4 information to confirm:
- The package name of the application will send the intent
- The class will receive the sent Intent
- Data to send
- Submit Intent and wait for response results
Sending broadcast data to multiple applications requires that the applications must be signed with the same public key in order to receive data. If you do not do this, any application that listens for information may receive data from your application. Similarly, in the case of a malicious application may send malicious information to your application if our application is registered to receive that broadcast information.
To prevent this, the system provides us with an ” protectionLevel ” attribute, which allows us to send data only to applications that have the same sigend as the key we specified, external applications will cannot receive this broadcast signal
1 2 | android:protectionLevel="signature" /> |
At the same time, we will define a permission that only applications built by us can use, this helps applications to read each other’s information and avoid unauthorized access from external applications. For example, the following permission
1 2 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> permission</span> <span class="token attr-name"><span class="token namespace">android:</span> name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> com.canh.muoi.SHARE_DATA <span class="token punctuation">"</span></span> <span class="token attr-name"><span class="token namespace">android:</span> protectionLevel</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> signature <span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> |
In AndroidManifest also provides us with an attribute ” android: exported “, when it is set to ” false ” then it will not receive broadcasts from external applications but only listen to broadcasts from the system or from the application itself, this helps the application from being hacked without having to listen and receive malicious information from the third application.
1 2 3 4 5 6 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> receiver</span> <span class="token attr-name"><span class="token namespace">android:</span> exported</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> false <span class="token punctuation">"</span></span> <span class="token attr-name"><span class="token namespace">android:</span> name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> com.sample.myapp <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> intent-filter</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> action</span> <span class="token attr-name"><span class="token namespace">android:</span> name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> com.android.vending.INSTALL_REFERRER <span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> intent-filter</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> receiver</span> <span class="token punctuation">></span></span> |
Clear the cache of the application and the browser
There are cases where we need to delete information and data that the application has collected from system memory when the user is no longer in use or exits the application. This information includes both data files and caches.
Our application can use the temporary storage directory, it should be deleted when it is no longer in use. We can do this in the function onPause () or onStop () depending on the purpose of the operation of the application we build, we can refer to the following code in the program’s Activity:
1 2 3 4 5 6 7 | override fun <span class="token function">onStop</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> cacheDir <span class="token punctuation">.</span> <span class="token function">deleteRecursively</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> externalCacheDir <span class="token operator">?</span> <span class="token punctuation">.</span> <span class="token function">deleteRecursively</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token keyword">super</span> <span class="token punctuation">.</span> <span class="token function">onStop</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> |
The purpose of the above function is to notify the OS that when the Activity of the application is in Stop state, please clear all cache.
The application we build can also store data in Shared Preferences , we can remove them in the path ” data / data / yourpackagename / sharedprefs / yourprefsname.xml and your_prefs_name.bak . Also delete from memory. Temporarily with the following code:
1 2 | context <span class="token punctuation">.</span> <span class="token function">getSharedPreferences</span> <span class="token punctuation">(</span> <span class="token string">"prefs"</span> <span class="token punctuation">,</span> Context <span class="token punctuation">.</span> MODE_PRIVATE <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">edit</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">clear</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">commit</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> |
In addition, when the application we use components for inputting information such as EditText , the system will open the keyboard for users to enter. If auto-corrected is set to true , the system can collect user input for learning and suggest related words that lead to information leaks, sometimes account information. user login.
To turn off cache logging from the keyboard, we will need to turn off auto-correct. This is done from the layout file of the application where the EditText is not located, look for the declaration of EditText and set the properties as follows:
1 2 | android:inputType="textNoSuggestions|textVisiblePassword|textFilter" |
There is a type of cache we also need to note, that Android will store the cache of data sent over the network in memory memory or stored on the device memory. We can completely block this by setting the configuration of the connection as follows:
1 2 3 4 | connection <span class="token punctuation">.</span> <span class="token function">setRequestProperty</span> <span class="token punctuation">(</span> <span class="token string">"Cache-Control"</span> <span class="token punctuation">,</span> <span class="token string">"no-cache"</span> <span class="token punctuation">)</span> connection <span class="token punctuation">.</span> defaultUseCaches <span class="token operator">=</span> <span class="token boolean">false</span> connection <span class="token punctuation">.</span> useCaches <span class="token operator">=</span> <span class="token boolean">false</span> |
The above code helps us turn off the cache feature when setting HttpsUrlConnection . This will help prevent the user from saving data when sending over the network.
For webview usage, we can eliminate caching by the following code:
1 2 | webview <span class="token punctuation">.</span> <span class="token function">clearCache</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span> |
Also, in order to really remove the cache we need to check the libraries from the third party we use to store the cache or not. For example, the Glide application is very popular in loading and displaying images, this application can count as allowing to choose to cache the image is on memory or on device memory, we can eliminate the Store on device with the code below:
1 2 3 4 5 6 | Glide <span class="token punctuation">.</span> <span class="token function">with</span> <span class="token punctuation">(</span> context <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">load</span> <span class="token punctuation">(</span> imageURL <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">diskCacheStrategy</span> <span class="token punctuation">(</span> DiskCacheStrategy <span class="token punctuation">.</span> NONE <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token function">into</span> <span class="token punctuation">(</span> holder <span class="token punctuation">.</span> imageView <span class="token punctuation">)</span> |
Disable application log printing
Using log to print out run-time information in most applications, using this log helps developers quickly find issues that are happening in the application being built, From there give out appropriate repair method. However, some people may forget to turn off or delete these logs when releasing an app, which can lead to a leak of information about the application and most likely this information is related to the login status, account of user. This will cause a lot of damage to the application developer.
To prevent this from happening, Android has provided us with a class called BuildConfig and contains a variable called DEBUG . It will automatically be set to ” true ” when we create the application with the debug version and automatically set to ” false ” when creating the application with the release . We can take advantage of this to print only the log in the debug application
1 2 3 4 | <span class="token keyword">if</span> <span class="token punctuation">(</span> BuildConfig <span class="token punctuation">.</span> DEBUG <span class="token punctuation">)</span> <span class="token punctuation">{</span> Log <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> TAG <span class="token punctuation">,</span> <span class="token string">"Your log of your application..."</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> |
The above setting will help the application in the release no longer leak important information. However, it will be a little difficult to use, as we always have to check if the application is debugging or not to print the log.
To avoid this, we can use an external library for log printing, Timber . Using this library is very simple, we just need to determine whether the build is a debug or released once in the MainApplication of the application to activate this library, let’s see the code below:
1 2 3 4 | <span class="token keyword">if</span> <span class="token punctuation">(</span> BuildConfig <span class="token punctuation">.</span> DEBUG <span class="token punctuation">)</span> <span class="token punctuation">{</span> Timber <span class="token punctuation">.</span> <span class="token function">plant</span> <span class="token punctuation">(</span> Timber <span class="token punctuation">.</span> <span class="token function">DebugTree</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> |
When you want to print log anywhere in the application, we also use it as Android’s Log library, but without TAG, Timber will automatically identify which class is called and print the name of that class to log for them. We know which log the log is currently in
1 2 | Timber <span class="token punctuation">.</span> <span class="token function">d</span> <span class="token punctuation">(</span> <span class="token string">"Your log in application"</span> <span class="token punctuation">)</span> |
Part 1 is here, please see you again in part 2