When developing Android applications for any professional organisation, the question of security always comes up, as indeed it should. There are many issues that should be considered regarding mobile application security so let’s take a look at one common one: data encryption.
The first thing to do it to analyse your data and see it any of it really warrants the time and expense of implementing encryption. The simplest way of looking at this is that if there is any data on the device which might damage you or your organisation if it were exposed then you should encrypt it. Don’t just assume that having a PIN on the device will provide protection. A PIN is an essential first step but is hardly fool-proof.
Once you have determined that there is data on the device which you do not wish to share with unauthorised third parties, there is another big question to ask: “Should this data be on the device at all?”. In a surprising number of cases, it is possible to remove the sensitive data from the device completely by off-loading all of the sensitive processing to the server-side application. That of course opens up a whole new issue of secure communications (Another time!).
So what are the options? Since Android 3.0 it has been possible to encrypt the entire disk of an Android device. This undoubtedly gives you some protection but relies on the user having actually encrypted their device. The other potential issues with device level encryption is that if an attacker cracks the PIN code then the disk contents are immediately decrypted!
The alternative is to perform selective encryption of the data. Android devices ship with a powerful encryption library which goes by the eyebrow-raising name of “Bouncy Castle.” The library supports both symmetric and asymmetric encryption using a variety of algorithms. It is implemented as a provider for the Java Cryptography Extension and the Java Cryptography Architecture. Using Java cryptography is relatively straight-forward and there are plenty of examples in the wild.
Encryption and decryption requires keys. Keys are a problem: where are you going to store them? In order for your application to perform encryption and decryption, it must have access to the keys. Android 4.0 has addressed this by providing a key-chain API enabling you to securely manage keys on a PIN enabled device. I’m sure someone will break the keychain at some point but it’s a big step in the right direction. I particularly like the fact that you can only use the key-chain if a PIN or password is enabled and that you then can not disable the PIN without deleting the key information.
There is a lot to be considered when dealing with mobile application security and you could do a whole lot worse that booking a place on Learning Tree International’s Mobile Device and Application Security Course.