บทความ

Access Control issues Part 1-3

Description : Caused by use Intent-filter inside Menifest files. Recomment :  Show an app chooser If the Implicit Intent can launch a second app on the user's device, make it an app chooser. This helps users transfer sensitive information to apps they trust. val intent = Intent(ACTION_SEND) val possibleActivitiesList: List<ResolveInfo> = queryIntentActivities(intent, PackageManager.MATCH_ALL) // Verify that an activity in at least two apps on the user's device // can handle the intent. Otherwise, start the intent only if an app // on the user's device can handle the intent. if (possibleActivitiesList.size > 1) {     // Create intent to show chooser.     // Title is something similar to "Share this photo with".     val chooser = resources.getString(R.string.chooser_title).let { title ->         Intent.createChooser(intent, title)     }     startActivity(chooser) } else if (intent.resolveActivity(packageManager) != null) {     startActivity(intent) } Mor

Input validation issues - Part 2

Description : Because Web Content that can have HTML and JavaScript Improper use might to be web security problem occurred such as insert Javascript Command. Basic recomment :  - use method : setJavaScriptEnabled(); protect cross-site scripting - recommend exposing only Javascript contained in your application.   method : addJavaScriptInterface(); - If your application access sensitive information   to consider use remove files that store specific place.   for example, to indicate that application not should cache particular content.   use : method clearCache();   ( clearCache(); will to do clear all cache of used ) Reference :  https://developer.android.com/training/articles/security-tips

Input validation issues - Part 1

รูปภาพ
Description :  This is Developer not filter sensitive information before store into database. How to fix : - You should to do select Input type of EditText to be correct in Android Studio. - Use Pattern Class filter more information before store into database and more. More Information : Data and file storage on Android Preferences :   //  Files lost when delete app. - Data that store that have key and value in file .xml - Shared Preference - Secure Preference - EncryptedSharedPreferences Database : in android app   //  Files lost when delete app.   - SQLiteOpenHelper   - Room   - SQLCipher Shared Storage : Data that share with others app. Such as : Media : images , audio , videos , documents   //  Files no lost when delete app.  - MediaStore API - Content Provider for open Database for other app can query come to your app. can be determined, such as specific app that use same keystore. App-specific storage : Divided into 2 types Internal Storage (Keep a little but be safe)  //  Files

Insecure Data Stroage Part 1-4

รูปภาพ
Description :  This is problem of Developer that to do store sensitive information  such as Username Password into Share Preferences file is not have encode information. How to fix : If you whant store sensitive information There are some basic recommendations as follows. - Store data safely. - Store private data within internal storage. - Store personal information into : device internal storage (sanboxed separate app). - Your App no require request permission to see files. - Others App can not access file is new security furture. - When user uninstall app, device will delete all file in internal storage. // Creates a file with this name, or replaces an existing file that has the same name.  // Note that the file name cannot contain path separators. val FILE_NAME = "sensitive_info.txt" val fileContents = "This is some top-secret information!" openFileOutput(FILE_NAME, Context.MODE_PRIVATE).use { fos ->     fos.write(fileContents.toByteArray()) } - Use external s

Hard coding Issues

รูปภาพ
Description :  This is Security of Android Application that Developer forget used sensitive information into code of application in application development procress. How to fix :  Not should push sensitive information into Code of Application or Protected by use Obfuscation code Obfuscation is an encoding, class name or variable. Strength - when Decompile Application will see encoded text instead of plain-text - Size of Apk file is smaller Step 1 - Config (build.gradle) "minifyEnabled" == true android { buildTypes { release {    // Enables code shrinking, obfuscation, and optimization for only    // your project’s release build type.     minifyEnabled true    // Enables resource shrinking, which is performed by the    // Android Gradle plugin.    shrinkResources true    // Includes the default ProGuard rules files that are packaged with    // the Android Gradle plugin. To learn more, go to the section about    // R8 configuration files.    proguardFiles getDefaultProguardFile

Insecure Logging

Description :  This is  Security of Android Application Coding that Developer forget used Log Class into Code of Application in procress of Application Development and build to Apk file. How to fix :  Developer should to do delete Log class code  after application development procress finished before build to Apk File.