storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files
vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords
/ pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom trustmanager Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html
implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development. “ ”
(9781782167167) Android Security Internals Nikolay Elenkov (9781593275815) Android Hacker’s Handbook Joshua J. Drake et al. (9781118608647) Application Security for the Android platform Jeff Six (9781449315078)