-
-
Save maretekent/9e5cc82b222001f874de4d201e8cc56d to your computer and use it in GitHub Desktop.
| Excessive Logging: | |
| private void logD(String message) { | |
| if (BuildConfig.DEBUG) | |
| Log.d(this.getLocalClassName(), message); | |
| } | |
| Execessive logging of sensitive security data should be avoided in prod env. |
unprotected background screenshot:
In android we set some special flag that prevents the app from appearing on the screenshot or viewed from non secure display
@OverRide
protected void onCreate(bundle savedInstanceState) {
super.onCreate(savedInstanceState);
getWindow().setFlag(WindowManager.LayoutParams.FLAG_SECURE,
WindowManager.LayoutParams.FLAG_SECURE);
setContentView(R.layout.activity_main);
}
Autocompletion:
mask important fields within the application
ensure the autocomplete is toggled off for important fields
e.g.
void setAutocomplete() {
EditText firstNameView = (editText) findViewById(R.id.first_name);
EditText secondNameView = (editText) findViewById(R.id.second_name);
firstNameView.setInputType(inputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS);
secondNameView.setInputType(inputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS);
}
insecure Local storage:
save reg data on the server and check free period of the application usage each time the user enter it. obfuscate android code to provide protection against reverse enginerring
Sensitive data in storage:
sensitive data should be encrypted and only store data that is required encrypted.
don't assume data and properties of the app
Cached Login credentials:
use setText("") to clear fields by setting them empty.
e.g. emailEdittext.setText(""); passwordEdittext....