No matter what type of Android application you intend to build, consider the following 10 best practices. Furthermore, when making security decisions, assume that the Android device can be stolen or that an attacker can successfully force the user to run malware on the device.
Protecting data at rest on the device
1. Don’t store unencrypted sensitive data (e.g., PII, credentials, tokens, and cryptographic keys) locally. (This includes the Shared Preferences file system or SQLite database.) Whenever possible, avoid it altogether. Otherwise, use a key derivation function (e.g., PBKDF2) based on user input.
2. Don’t include sensitive data in system logs. Disable debug logging on production builds.
3. Don’t store sensitive data in the WebView cache. In addition to setting up cache control headers in the server-side, the application should clear its cache after receiving sensitive responses.
4. Disable application backup. Backups can potentially allow an attacker to view or modify the application’s locally-stored data without having root access to the device.
Protecting client-side code
5. Protect the readability and integrity of the binaries against reverse engineering-based attacks. There are multiple techniques to ensure this is the case (e.g., code obfuscation and string/class encryption). The table below examines additional techniques.