"Do not let Android application to install on rooted Android devices and on emulators"
"Delete all sensitive data as soon as application realizes that device is rooted"
"Make sure that data stored in in Android device DB is not compromised"
"Prevent reverse-engineering of Application"
These are some of the common security related requirements of most enterprise application. In this blog, I will try to list down what is feasible to implement for each of these requirements.
1. "Do not let Android application to install on rooted Android devices and on emulators"
It is NOT possible to prevent application getting installed on rooted phones or even simulators. So instead of trying to prevent the installation, easier solution would be check if device is rooted/emulator after launching the application, if so, just block the further access to the application.
Checking if the device is Emulator:
Android provide a simple API to check the device type.
Check this link for more details
http://stackoverflow.com/questions/2799097/how-can-i-detect-when-an-android-application-is-running-in-the-emulator
Check if the device is rooted:
"Delete all sensitive data as soon as application realizes that device is rooted"
"Make sure that data stored in in Android device DB is not compromised"
"Prevent reverse-engineering of Application"
These are some of the common security related requirements of most enterprise application. In this blog, I will try to list down what is feasible to implement for each of these requirements.
1. "Do not let Android application to install on rooted Android devices and on emulators"
It is NOT possible to prevent application getting installed on rooted phones or even simulators. So instead of trying to prevent the installation, easier solution would be check if device is rooted/emulator after launching the application, if so, just block the further access to the application.
Checking if the device is Emulator:
Android provide a simple API to check the device type.
Build.PRODUCTCheck this link for more details
http://stackoverflow.com/questions/2799097/how-can-i-detect-when-an-android-application-is-running-in-the-emulator
Check if the device is rooted:
- Try to execute some commands which are allowed only for super user and check the response
- Check if SU process is running e.t.c
Remember that none of these methods are 100% fool proof!
Check this discussion for more information
2. "Delete all sensitive data as soon as application realizes that device is rooted"
This is a simple one, create a service and register for auto-launch on device bootup. In this service, periodically (say once in 2 minutes) check if the device is rooted (discussed above). If yes, delete all sensitive data of the application.
WARNING: This could drain the battery. Depending on the sensitivity of the data, you can vary interval duration to save battery.
3. "Make sure that data stored in in Android device DB is not compromised"
"Encrypt the data base"
Simplest way to encrypt the data base in Android is to use SQLCipher. SQLCipher uses 256 bit AES encryption to encrypt the database files.
DO NOT hard-code the key in the code!! It is very difficult to prevent re-verse engineering your Android application from APK. A determined hacker can easily get hold of the key if you hard-code it in the code. Much better solution is to ..
- Random generate this key on first launch and saving it for later use.
- Again, saving the key as it is could be risky. Use some algorithm to modify (encode) the key before saving it, use reverse algorithm to decode the key before using for decryption the data base.
- Now you might say that this is not safe solution. If code can be reverse engineered the whats the point in encoding the key. Remember that reverse engineering tools can only provide the code logic and cannot get the exact method and variable names for obfuscated code. So, we can use a method name or a variable name (Remember Java Reflection??) in some way to encode the key, then it would be very difficult for any body to break it.
4. "Prevent reverse-engineering of Application"
There are no fool proof methods to prevent reverse-engineering. you can only make the process difficult by obfuscating the code. Try ProGaurd tool provided by Andorid.
