Paul Peloquin Shares Android Security Tips for iOS Developers

If, like me, you have been developing in the iOS space for some time, and particularly within the last five years, jumping anew into secure Android development may seem daunting. Apple has prided itself on providing (arguably) the most secure mobile platform. Whether you agree with this or not, it must be admitted that Apple does take the time to create toolsets designed to allow developers to implement basic cyber and app-based security readily.

Let's start with file encryption and compare. In Swift, to write a file with complete file encryption, you simply include the .completeFileProtection option when writing. On Android, the process is a bit lengthier. First, you will need to be familiar with the EncryptedFile class and its associated builder where you can configure the write and read – a one-liner it isn't. Never-the-less, the ability is there. When utilizing the builder, please ensure that the same master key and keyset are used for the eventual decrypt, or you will have errors, and the decryption will fail.

If your app requires bank app-level security, you will likely want the app to prevent the phone from capturing screenshots at specific points in the application's lifecycle. While having a foolproof way would be difficult, it could be argued that this is actually a little easier in Android. In Android, you can get a long way towards a solution by adding FLAG_SECURE into your Activity. In iOS, you may be most concerned by the way the operating system grabs a screenshot of the app when the app backgrounds. If this is your only concern, you can use the instance method ignoreSnapshotOnNextApplicationLaunch. If you need to prevent screenshots more generally, then your options are more limited. There are products you can purchase to add to your application that claims to do this, and there are other possible "hacky" solutions available out there that may meet your particular use case.

Development in the last few years has forced iOS developers to understand and implement app transport security (ATS). ATS aimed to improve the security of iOS apps by enforcing many things, including HTTPS, any time the application accesses the web. With a few lines of code in the application's info.plist, ATS allowed developers to take a big step towards cybersecurity when our application receives data. Android provided something similar for developers in API levels 23 and above. Rather than in the app manifest file, it is accomplished through your application's network_security_config.xml file. To ensure that the files are encrypted, make sure in the base configuration element to set the cleartextTrafficPermitted attribute to false.

As to other items, like local authentication through biometrics, many Android devices do not yet have these capabilities. So, for these devices, you may need to look for other avenues to protect your user's sensitive data and outline a separate authentication path for these devices. These are just a few of the things that may help iOS developers get more familiar with Android security issues. While it is different, with careful planning, you can make your Android application highly secure.

About Paul Peloquin:

Paul Peloquin of Wichita, Kansas, is a results-driven programmer with over 20 years of experience in software development. Throughout his diverse career, Mr. Peloquin has built a reputation as both an innovator and tactical developer, helping entrepreneurs and fortune 500 companies alike accelerate their businesses and workflows into the 21st century.