Data Privacy for Android (Part 1)

Tram Ho

Security is extremely important, and many security policies such as CCPA , PIPEDA or GDPR have been enacted to guide the built applications to be more secure and protect user data. In this topic we will also explore the supported components in Android to protect user data, basic methods to perform data protection on Android devices. This article will turn over the following methods:

  • The permission pop-ups
  • Access data from a group of linked applications
  • Clear the cache of the application and the browser
  • Disable application log printing
  • Anti screenshot
  • Encrypt personal data
  • Protect the source code of the application
  • Install biometric protection

The permission pop-ups

Prior to Android 6.0 (Marshmallow) when building an application the permissions for data access, network usage, cameras, recording, sending messages … would be set in AndroidManifest.xml and be asked once. when installing the application. But since Android 6.0 and later this mechanism has changed, the application installation is separate from the process that requires access to external resources. With this mechanism, the request for rights will be performed when running the application at the necessary functions, which makes it easy for users to monitor the permissions they grant the application and its intended use to what.

For example, if an application needs permission to write information to external storage, it will request the permission below in the AndroidManifest.xml file.

When running the application to the places where we need to use external memory, we will have to check whether or not we have write permission, if so, we can do it, otherwise we must show a pop-up to ask for consent. from the user. If we skip this step and make access to our application will immediately crash.

The verification can be done via the source code below

Through the example we see there are 3 main steps:

  1. Check permission is granted or not.
  2. Permission has not been granted, displaying pop-up asking for permission from the user.
  3. Already have access to perform the desired work.

To get feedback from users when requesting access in step 2, we listen to the following function:

Access data from a group of linked applications

Permission can cover most cases of retrieving and receiving data from outside the application. But sometimes we need to transfer data back and forth between the groups of applications we have built.

To do this many people will create files that store them on external memory or create sockets to exchange information with each other. This is really insecure when information can easily be stolen. Instead we can use Intents to send data between applications. Here is an example:

We see there will be 4 information to confirm:

  1. The package name of the application will send the intent
  2. The class will receive the sent Intent
  3. Data to send
  4. Submit Intent and wait for response results

Sending broadcast data to multiple applications requires that the applications must be signed with the same public key in order to receive data. If you do not do this, any application that listens for information may receive data from your application. Similarly, in the case of a malicious application may send malicious information to your application if our application is registered to receive that broadcast information.

To prevent this, the system provides us with an ” protectionLevel ” attribute, which allows us to send data only to applications that have the same sigend as the key we specified, external applications will cannot receive this broadcast signal

At the same time, we will define a permission that only applications built by us can use, this helps applications to read each other’s information and avoid unauthorized access from external applications. For example, the following permission

In AndroidManifest also provides us with an attribute ” android: exported “, when it is set to ” false ” then it will not receive broadcasts from external applications but only listen to broadcasts from the system or from the application itself, this helps the application from being hacked without having to listen and receive malicious information from the third application.

Clear the cache of the application and the browser

There are cases where we need to delete information and data that the application has collected from system memory when the user is no longer in use or exits the application. This information includes both data files and caches.

Our application can use the temporary storage directory, it should be deleted when it is no longer in use. We can do this in the function onPause () or onStop () depending on the purpose of the operation of the application we build, we can refer to the following code in the program’s Activity:

The purpose of the above function is to notify the OS that when the Activity of the application is in Stop state, please clear all cache.

The application we build can also store data in Shared Preferences , we can remove them in the path ” data / data / yourpackagename / sharedprefs / yourprefsname.xml and your_prefs_name.bak . Also delete from memory. Temporarily with the following code:

In addition, when the application we use components for inputting information such as EditText , the system will open the keyboard for users to enter. If auto-corrected is set to true , the system can collect user input for learning and suggest related words that lead to information leaks, sometimes account information. user login.

To turn off cache logging from the keyboard, we will need to turn off auto-correct. This is done from the layout file of the application where the EditText is not located, look for the declaration of EditText and set the properties as follows:

There is a type of cache we also need to note, that Android will store the cache of data sent over the network in memory memory or stored on the device memory. We can completely block this by setting the configuration of the connection as follows:

The above code helps us turn off the cache feature when setting HttpsUrlConnection . This will help prevent the user from saving data when sending over the network.

For webview usage, we can eliminate caching by the following code:

Also, in order to really remove the cache we need to check the libraries from the third party we use to store the cache or not. For example, the Glide application is very popular in loading and displaying images, this application can count as allowing to choose to cache the image is on memory or on device memory, we can eliminate the Store on device with the code below:

Disable application log printing

Using log to print out run-time information in most applications, using this log helps developers quickly find issues that are happening in the application being built, From there give out appropriate repair method. However, some people may forget to turn off or delete these logs when releasing an app, which can lead to a leak of information about the application and most likely this information is related to the login status, account of user. This will cause a lot of damage to the application developer.

To prevent this from happening, Android has provided us with a class called BuildConfig and contains a variable called DEBUG . It will automatically be set to ” true ” when we create the application with the debug version and automatically set to ” false ” when creating the application with the release . We can take advantage of this to print only the log in the debug application

The above setting will help the application in the release no longer leak important information. However, it will be a little difficult to use, as we always have to check if the application is debugging or not to print the log.

To avoid this, we can use an external library for log printing, Timber . Using this library is very simple, we just need to determine whether the build is a debug or released once in the MainApplication of the application to activate this library, let’s see the code below:

When you want to print log anywhere in the application, we also use it as Android’s Log library, but without TAG, Timber will automatically identify which class is called and print the name of that class to log for them. We know which log the log is currently in

Part 1 is here, please see you again in part 2

Share the news now

Source : Viblo