Security

1. Secure Data Storage

Q: Where should sensitive data be stored on Android?

Data Type Storage Notes
Encryption keys Android Keystore Hardware-backed on supported devices
User credentials EncryptedSharedPreferences Keys in Keystore
Auth tokens EncryptedSharedPreferences or DataStore Never plain SharedPreferences
Sensitive files Encrypted files with Keystore-derived keys
Database SQLCipher or Room with encryption

Q: What is Android Keystore?

A system-level secure container for cryptographic keys. Keys can be:

  • Hardware-backed (TEE/Secure Element) on supported devices
  • Bound to user authentication (biometric/PIN required)
  • Non-exportable (key material never leaves secure hardware)

Q: How does EncryptedSharedPreferences work?

Uses two keys from Keystore:

  1. Key encryption key (KEK) encrypts data keys
  2. Data encryption keys encrypt actual values

Both key names and values are encrypted at rest.

2. Network Security

Q: What is SSL/TLS pinning and why use it?

Pinning validates the server's certificate against a known value, not just the certificate chain. Protects against:

  • Compromised Certificate Authorities
  • Man-in-the-middle attacks with rogue certs
  • Malicious proxies with user-installed certs

Q: How do you implement certificate pinning?

OkHttp CertificatePinner:

val pinner = CertificatePinner.Builder()
    .add("api.example.com", "sha256/AAAAAAA...")
    .add("api.example.com", "sha256/BBBBBBB...") // Backup pin
    .build()

Network Security Config (preferred):

<domain-config>
    <domain includeSubdomains="true">api.example.com</domain>
    <pin-digest algorithm="SHA-256">base64hash=</pin-digest>
</domain-config>

Q: What's the risk of certificate pinning?

If pins expire or rotate without app update, the app breaks. Mitigations:

  • Always include backup pins
  • Use Network Security Config (updatable)
  • Plan for emergency pin rotation
  • Monitor certificate expiration

3. Authentication & Authorization

Q: How should auth tokens be handled?

  • Store in EncryptedSharedPreferences
  • Never log tokens
  • Use short-lived access tokens + refresh tokens
  • Clear tokens on logout
  • Handle token expiration gracefully

Q: How do you implement secure biometric authentication?

Use BiometricPrompt with:

  • setAllowedAuthenticators() to specify biometric class
  • CryptoObject to tie authentication to cryptographic operation
  • Keystore key that requires user authentication

Key is unusable until biometric succeeds—actual security, not just UI.

Q: What authentication classes exist?

Class Security Level Examples
Class 3 (Strong) Highest Fingerprint, face with depth sensing
Class 2 (Weak) Medium Some face recognition
Class 1 Lowest Pattern, PIN (not biometric)

For sensitive operations, require Class 3.

4. App Security

Q: How do you protect against reverse engineering?

Technique Purpose
ProGuard/R8 Code shrinking, obfuscation
String encryption Hide hardcoded secrets
Anti-tampering Detect modified APK
Root detection Detect compromised device
Emulator detection Detect analysis environment

Q: What shouldn't be in the APK?

  • API keys with billing access
  • Private encryption keys
  • Hardcoded passwords
  • Production database credentials

These can be extracted. Use server-side validation for sensitive operations.

Q: How do you handle API keys?

  • Store in local.properties (gitignored)
  • Inject via BuildConfig at build time
  • For sensitive keys, proxy through your backend
  • Use Play App Signing for signing keys

5. Input Validation

Q: What input validation is necessary?

  • Validate all user input on client AND server
  • Sanitize content for WebView (JavaScriptEnabled carefully)
  • Validate deep links and intent data
  • Escape SQL if not using Room (Room parameterizes)
  • Validate file paths to prevent path traversal

Q: What is a SQL injection and how does Room prevent it?

Malicious SQL in user input can modify queries. Room prevents by:

  • Parameterized queries (values can't become SQL)
  • Compile-time SQL verification
  • Type-safe query parameters

Q: What about WebView security?

  • Disable JavaScript unless necessary
  • Use WebViewAssetLoader for local content
  • Don't enable setAllowFileAccessFromFileURLs
  • Validate URLs before loading
  • Handle shouldOverrideUrlLoading carefully

6. Inter-Process Communication

Q: How do you secure exported components?

Component Protection
Activity android:exported="false" or permission
Service Use bound service with permission
BroadcastReceiver Custom permission, signature level
ContentProvider Read/write permissions, path permissions

Q: What are signature-level permissions?

Only apps signed with the same key can obtain the permission. Use for communication between your own apps.

Q: How do you validate incoming Intents?

  • Check callingPackage if applicable
  • Validate all extras (don't trust input)
  • Use PendingIntent.FLAG_IMMUTABLE when possible
  • Don't pass sensitive data in Intent extras

7. Runtime Security

Q: What is SafetyNet/Play Integrity?

Server-side API to verify:

  • Device is genuine (not rooted/emulated)
  • App is legitimate (from Play Store)
  • Device passes security checks

Use for sensitive operations; response should be verified server-side.

Q: How do you detect rooted devices?

Check for:

  • su binary existence
  • Root management apps
  • System property modifications
  • Dangerous permissions granted

Note: Determined attackers can bypass; use as defense in depth, not sole protection.

8. Common Vulnerabilities

Q: What are OWASP Mobile Top 10 concerns for Android?

Risk Mitigation
Insecure Data Storage Encrypted storage, avoid logs
Insecure Communication TLS everywhere, pinning
Insecure Authentication Strong auth, biometrics
Insufficient Cryptography Use Android Keystore, standard algorithms
Insecure Authorization Server-side validation
Client Code Quality Code review, static analysis
Code Tampering ProGuard, integrity checks
Reverse Engineering Obfuscation, server-side logic
Extraneous Functionality Remove debug code in release
Insufficient Binary Protection Native code obfuscation

Quick Reference

Topic Key Points
Data Storage Keystore for keys; EncryptedSharedPreferences for secrets; never plain text
Network HTTPS only; certificate pinning with backups; validate server responses
Auth Short-lived tokens; secure storage; biometric with CryptoObject
APK Protection R8 obfuscation; no secrets in code; server-side sensitive logic
Input Validation Client and server validation; Room for SQL safety; careful WebView
IPC Minimal exported components; signature permissions; validate intents
Runtime Play Integrity for verification; defense in depth against rooting

results matching ""

    No results matching ""