Some ways to increase security for Android App
1. Using Proguard
ProGuard is a built-in tool in Android Studio, with features that make your application source code compact (for ease of distribution), confusing (renaming classes, functions, variables, .. read to prevent decompile), ultimately it is optimized to make the application run faster. It is recommended to use ProGuard in both development (debug, staging) and release (release) environments, if only using it in the release product but ignoring its use when running in the development environment can causing the app to crash unexpectedly on release…
To configure, add the following code to the file build.gradle
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | android { buildTypes { // Các môi trường cấu hình proguard getByName("release") { // Cho phép thu nhỏ mã, làm xáo trộn mã và tối ưu hóa isMinifyEnabled = true // Cho phép thu nhỏ tài nguyên, được thực hiện bởi plugin Android Gradle. isShrinkResources = true // Bao gồm các tệp quy tắc ProGuard mặc định được đóng gói cùng với plugin Android Gradle. proguardFiles(getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro") } } ... } |
In the above configuration section using ProGuard, the file proguard-rules.pro
is an additional configuration file about how ProGuard works.
When ProGuard messes up the code, it renames the classes, many 3rd party reference classes are also converted, which can lead to errors and crashes. In case you want not to mess up a certain class you use the keep configuration, for example in the file: proguard-rules.pro
we add
1 2 | -keep class com.myapp.entity.** { *; } |
With the above code, will keep the classes and methods in the folder com.myapp.entity
2. Block rooted devices
Rooting the device helps us to control and install the device as we want, but besides that, it can affect the security of your information. Our App can be hacked and information stolen. So we should block rooted devices from using the App to ensure safety (if necessary).
There are many ways to help us check if the device is rooted or not, but the fastest and also relatively accurate way is to use the rootbear library ( https://github.com/scottyab/rootbeer ) to detect. In addition, if we want, we can also write our own to optimize.
Usage is also very simple as follows:
1 2 3 4 5 6 7 | RootBeer rootBeer = new RootBeer(context); if (rootBeer.isRooted()) { //we found indication of root } else { //we didn't find indication of root } |
3. Block taking screenshots when using App
To reduce the risk of images being captured while using the app, photoshopped, then used for malicious purposes such as fraud, etc. We should prevent users from taking screenshots in certain screens that need to be protected. password, or even the App.
To use setFlag FLAG_SECURE
for window
1 2 3 4 5 | window.setFlags( WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE ) |
Reference: https://developer.android.com/reference/android/view/WindowManager.LayoutParams
Conclude
Above are some ways to increase security when we develop App on android. You can also apply these methods with different libraries and functions to suit each framework (if any). Thank you for watching.