Cybersecurity is never far from my mind these days. Many of my clients are quite rightly concerned about the risk of a security breach caused by a flaw in an Android application.
One simple and hugely effective step that can be taken is to ensure that devices have a PIN or password enabled. The key word in the previous sentence is “ensure”: how do we actually ensure that our applications are only used on devices which have a PIN enabled?
One solution is education: within an organisation, we can spread the message that using a PIN or password is an essential piece in the security for that organisation. I like the idea of a splash screen for the application which gives security tips such as “always lock your device,” though it’s probably a good idea to make sure that the user can disable the splash screen if they wish.
One thing that has frustrated me for some time is the difficulty of determining if there is actually a PIN / password enabled on the device. In many cases, what I’d really like to do is to perform a quick check to see if the device is protected and only allow the application to run if protection was enabled. Jelly Bean (Android 4.1 / API level 16) provides the solution in the form of a new method on the KeyguardManager.
The wonderfully simple solution that has been added is to create a new method on the KeyguardManager which is isKeyguardSecure() if the Keyguard (the name comes from the mechanism originally implemented to prevent keys being accidentally pressed when the device was in a pocket or bag) is securely locked the method will return true. The code is pretty simple:
// Get a reference to the KEYGUARD_SERVICE KeyguardManager keyguardManager = (KeyguardManager) ctx.getSystemService(Context.KEYGUARD_SERVICE); // Query the keyguard security. return keyguardManager.isKeyguardSecure();
Securely locked means locked by either a PIN or password. Patterns and face-recognition are not regarded as secure. By the way, for those like me who like the convenience of the pattern lock, try holding your phone at an angle so that you are looking along the screen toward a light source. Do you see those nasty greasy marks? Unfortunately, those marks often provide the details of the pattern you use.
If you are interested in cybersecurity (and as a mobile developer, you should be) then you could do a whole lot worse that booking a place on Learning Tree International’s Mobile Device and Application Security Course.