Android Web service Security

Presentation by

Mr.Joseph Alexander OrisysIndia Consultancy Services

Web service security

• We can ensure security in two ways• Using SSL• Using a key

SSL Security

• SSL using Private/Public key encryption for security• Handle all sensitive data using SSL• Verify the SSL certificate in android device also• Handle SSL Exception

Using a key

Contd.

• Here we use sha1 algorithm• When install the app, a call to server with IMEI number• Server responds with a key• In server and mobile IMEI number concatenated with the key from server• Use sha1 encryption on both sides• Saves the final key in server database and shared preference • Each web service call uses this key for authentication • Web service checks each call by this encrypted key and header variable “User-agent”• If the call is from android application User-agent should contain Dalvik reference

Web view Integration

• Any URI received via an intent from outside a trust-boundary should be validated before rendering it with WebView

Sample codeString intentUrl = getIntent().getStringExtra("url");String localUrl = "about:blank";if (!intentUrl.startsWith("file:")) { loadUrl = intentUrl;}

Common security Rules

1.Limit the accessibility of an app's sensitive content provider

<provider android:name=".content.AccountProvider" android:exported="false" android:authorities="jp.co.vulnerable.accountprovider" />

2. When exchanging a file through a content provider, the path should be canonicalized before it is used.

• In the following compliant solution, a path is decoded by Uri.decode() before use. Also, after the File object is created, the path is canonicalized by calling File.getCanonicalPath() and checked that it is included in IMAGE_DIRECTORY.

private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { String decodedUriString = Uri.decode(paramUri.toString()); File file = new File(IMAGE_DIRECTORY, Uri.parse(decodedUriString).getLastPathSegment()); if (file.getCanonicalPath().indexOf(localFile.getCanonicalPath()) != 0) { throw new IllegalArgumentException(); } return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }

3.On Android, declaring an intent filter for an activity in the AndroidManifest.xml file means that the activity may be exported to other apps. If the activity is intended solely for the internal use of the app and an intent filter is declared then any other apps, including malware, can activate the activity for unintended use.

• By declaring android:exported="false" for an activity tag

in the AndroidManifest.xml file, the activity is restricted to only accept intents from within the same app

4.Do not store sensitive information on external storage (SD card) unless encrypted first

5.Do not log sensitive information6.Ensure that sensitive data is kept secure7.Do not trust data that is world writable8.Do not broadcast sensitive information using an implicit intent9.Do not allow WebView to access sensitive local resource

through file scheme Major security concerns for WebView are about the setJavaScriptEnabled(), setPluginState(), and setAllowFileAccess() methods.

10.Do not cache sensitive information11.Do not use loopback when handling sensitive data

References

• https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard

• https://www.jssec.org/dl/android_securecoding_en.pdf

Basement (-2), Thejaswini BuildingTechnopark, Kerala 695 581, Indiawww.orisys.in

Email: contact@orisys.in , Office (Technopark) :+91-9946 014 345Office (Sasthamangalam) :+91-8086 800 203