Posted by Adrian Ludwig, Lead Engineer for Android Security
The Android ecosystem has grown to 1.4 billion devices worldwide and more than one million Play Store apps, with many of those titles focused on consumer usage. At the same time, mobile productivity has grown in importance and businesses are spending more on applications for their work devices. Gartner says businesses spent $143B in 2015 on application software on all platforms.
That presents developers with a large opportunity for work apps that advance collaboration, workflow, data analysis or taking measurements in the field. Android developer tools help developers answer this call for innovation while meeting the important business need of protecting work data.
Here are a few tips and techniques for developers striving to build safe, secure Android apps for work environments.
Integrate with Android for Work
Encrypt your data
- Use HTTPS in lieu of HTTP whenever possible for encrypted, in-app web communications; don’t expect your app users to rely solely on VPN or other encrypted connections.
- If you encrypt any data in your app, don’t put the key within the app. Use a KeyStore so the keys are bound to the device hardware and not directly accessible from your app.
Use Android’s built-in and expanded protections
- Rather than using the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes (which don’t limit data access to specific applications) consider using content providers, which implement data read / write permissions to other apps.
- Call Google Play service APIs to improve app security and check device compatibility. Specifically, the ProviderInstaller class has methods to verify if device’s security provider is current and SafetyNetAPI.attest can let you know if the device’s security model is intact; if not your app can throw an exception or work around the issue.
- Check security warnings provided by the Google Play Store when uploading your app; this is part of the Android Security Improvement program and can highlight potential security risks in your app before you publish it.
- Consider implementing single sign-on (SSO), which makes it more convenient for end users to safely access business apps and data. This also enables a consistent session expiration to harden app security. See this section of our recorded session from Google I/O on this topic a demonstration of SSO.
Following these tips is easy and makes your Android apps more secure and more attractive to businesses so you can take advantage of the growing support for Android devices in enterprises and small businesses alike.
For more information or other ways to build secure Android apps, see our growing list of security tips and take advantage of the tools Android offers you.