DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • HPE to Acquire OpsRamp to Gain AIOps Platform
  • Oracle Makes Java 20 Platform Generally Available
  • How to Maximize Telemetry Data Value With Observability Pipelines
  • Awareness of Software Supply Chain Security Issues Improves
  • Why Observability is Important for Development Teams

Home » Blogs » Preparing Your Android App for an Independent Security Review

Preparing Your Android App for an Independent Security Review

Avatar photoBy: Michael Krueger on August 4, 2022 Leave a Comment

As of July 20, 2022, Android developers publishing new or updated mobile apps in Google Play must declare how their apps collect, share and secure data. The new Google Play Data safety section provides greater transparency and enables users to examine an Android mobile app’s security and privacy practices to decide which ones to download. Developers can take an extra step to safeguard user trust and demonstrate a high standard of mobile security and privacy by undergoing an optional independent security review. Founded by Google and industry security partners, the App Defense Alliance (ADA) established the mobile application security assessment (MASA) program to validate mobile apps against a globally recognized industry standard.

Mobile app developers can work with ADA-authorized labs to have their apps assessed against the Open Web Application Security Project (OWASP) mobile application security verification standard (MASVS) L1 requirements to gain the MASA validation. Developers whose mobile apps have passed an independent security review will be able to highlight that distinction in their Google Play Data safety section with the independent security review badge.

Mobile security experts from an ADA-authorized lab use the MASA specification crafted from the OWASP mobile security testing guide (MSTG) through a mix of automated and manual application security testing to independently assess the Android apps against a set of checks in six key areas.

To prepare for their independent security review, developers should follow these secure coding best practices when building their Android mobile apps.

Android Data Storage: Security and Privacy

● Use the Android Keystore system to securely store credentials including passwords, private keys, cryptographic keys and other information.
● Do not store sensitive data in external storage.
● Do not write sensitive data to the system or in application logs.
● Do not cache sensitive inputs, such as password fields.
● Mask sensitive data during user input.
● Fill out the Google Play console data safety section accurately, including both app code and SDKs.

Encryption

● Check first- and third-party code to confirm the use of industry-standard cryptographic libraries and algorithms (with recommended settings).
● Avoid outdated cryptography algorithms (such as MD5 or SHA-1) for sensitive data or authentication routines.
● Do not hardcode cryptographic keys or initialization vectors (IVs).
● For security, use pseudorandom number generators (PRNG) compliant with FIPS 140-2 security requirements for cryptographic modules.

Authentication and Session Management

● Ensure API endpoints that provide access to sensitive data require authentication.
● Use randomly generated session identifiers.
● Ensure sessions terminate at a remote endpoint when users log out.
● Include password complexity requirements enforced on both the client and server sides.
● Enable brute force protection for authentication endpoints.
● Ensure tokens have a reasonable expiration/timeout.

Android Network Communications

● Transmit all app data over TLS.
● Ensure the app verifies the validity of the certificate during the exchange.
● Declare all transmitted data.

Platform

● Do not request unnecessary app permissions.
● Validate any input your app accepts from external sources and sanitize if necessary.
● Ensure sensitive functionality is protected against unintended access for security and privacy.

Code Quality

● Remove all debugging symbols from the app and libraries.
● Remove debugging code (such as hidden settings).
● Disable verbose logging.
● Account for third-party SDKs in the data safety section.
● Update third-party SDKs and remove critical vulnerabilities.
● Enable PIC and stack smashing protection in apps and libraries.

Obtaining a MASA validation from an ADA-authorized lab gives developers a competitive advantage to drive more downloads by showcasing their commitment to mobile app security and privacy. When given a choice, mobile app users are more likely to download and use Android apps with the independent security review badge in Google Play. And enterprises with higher risk control requirements like finance, health care, energy and government are more likely to purchase and use these verified apps.

Related Posts
  • Preparing Your Android App for an Independent Security Review
  • The Pandemic’s Impact on Mobile App Security
  • Why Aren’t Enterprises Developing More Mobile Apps?
    Related Categories
  • Blogs
  • Business of DevOps
  • Continuous Delivery
  • DevOps Practice
    Related Topics
  • Google Play Data safety section
  • mobile app
  • NowSecure
  • privacy
  • security
Show more
Show less

Filed Under: Blogs, Business of DevOps, Continuous Delivery, DevOps Practice Tagged With: Google Play Data safety section, mobile app, NowSecure, privacy, security

« Armory Extends Scope of Spinnaker CD Distribution
The Everything-As-Code Revolution and the OWASP Top 10 »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

The Testing Diaries: Confessions of an Application Tester
Wednesday, March 22, 2023 - 11:00 am EDT
The Importance of Adopting Modern AppSec Practices
Wednesday, March 22, 2023 - 1:00 pm EDT
Cache Reserve: Eliminating the Creeping Costs of Egress Fees
Thursday, March 23, 2023 - 1:00 pm EDT

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

HPE to Acquire OpsRamp to Gain AIOps Platform
March 21, 2023 | Mike Vizard
Oracle Makes Java 20 Platform Generally Available
March 21, 2023 | Mike Vizard
How to Maximize Telemetry Data Value With Observability Pipelines
March 21, 2023 | Tucker Callaway
Awareness of Software Supply Chain Security Issues Improves
March 21, 2023 | Mike Vizard
Why Observability is Important for Development Teams
March 21, 2023 | John Bristowe

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

Large Organizations Are Embracing AIOps
March 16, 2023 | Mike Vizard
Modern DevOps is a Chance to Make Security Part of the Process
March 15, 2023 | Don Macvittie
Addressing Software Supply Chain Security
March 15, 2023 | Tomislav Pericin
What NetOps Teams Should Know Before Starting Automation Journeys
March 16, 2023 | Yousuf Khan
DevOps Adoption in Salesforce Environments is Advancing
March 16, 2023 | Mike Vizard
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.