App Hardening Tutorial for Android With Kotlin
In this App Hardening Tutorial for Android with Kotlin, you’ll learn how to code securely to mitigate security vulnerabilities. By Kolin Stürt.
Testing
Have you tested your unit tests? Are your unit-test tests tested? What about testing those tests…
OK, that might throw a mental overflow exception. But when you’re testing, cover all your code. Go through each flow-control case and test each line of code at least once.
When you find a bug, it’s like holding a mirror up to yourself – a great learning opportunity. Security researchers look at past bug fixes to profile a developer’s style. This speeds up the process of finding bugs by guessing where others might be.
As you did above, taking the time to check the rest of your code for the same mistake when you encounter a bug is an efficient way of preventing security vulnerabilities from appearing over again in future releases. It’s good motivation for code reuse; knowing that you fixed a problem in one place and don’t have to find all the same occurrences in copy/pasted areas.
Testing Tools
It’s time-consuming to find race conditions during testing because you have to corrupt memory in the “right way” to see the problem. Sometimes the problems appear a long time later in the app’s execution. One solution is to run Lint — Android Studio’s static code analysis tool.
While static testing refers to auditing the source code, dynamic testing involves testing while executing the code. One trick is to input random data, called Fuzz Testing.
Another is to choose extreme values in hopes of finding an edge case. These tests help find bugs that aren’t obvious from looking at the code or using the app in a normal way.
Building With ProGuard
One thing that’s different for configuring apps published to the store is code optimizations by tools such as ProGuard or R8. For your published app, your code is changed, or different from the one that you tested. This means that it can introduce bugs that only exist once you release your app.
Make sure you test your app on the optimized version. See the Getting Started with ProGuard tutorial for more information about how to use it.
Where to Go From Here
Congratulations! You’ve hardened your very important crime reporting app. :]
Feel free to download the completed project using the Download Materials button at the top or bottom of this tutorial.
While you’ve tightened the application code, you should also protect the user’s data. Read the Encryption Tutorial For Android to learn how to secure data-at-rest and the Securing Network Data Tutorial for securing data-in-transit.
Another part of app hardening revolves around nullability. See the Null Safety Tutorial to learn how to further harden your app against null pointer exceptions.
Finding security vulnerabilities without having the source code involves reverse-engineering the app, finding information leaks and forensics artifacts in the data it stores. Check out the Hack an Android App: Finding Forensic Artifacts tutorial to learn how to do that.
Look at Android’s security tips and as always, if you have any questions, feel free to comment in the discussion below.