Posted by Bessie Jiang – Software program Engineer and Chris Schneider – Safety Engineer
Contributors: Maciej Szawłowski – Safety Engineer, Hannah Barnes – Technical Program Supervisor, Dirk Göhmann – Technical Author, Patrick Mutchler – Software program Engineer
Safety is hard, however very important to defending your customers and their information. We’re right here that will help you construct safe Android apps with fewer vulnerabilities for an excellent safer Android ecosystem for everyone.
Vulnerability Detection – The way it Works
Google at the moment scans each app on Google Play for dozens of frequent safety vulnerability lessons. If we spot one thing, we let you understand so you’ll be able to repair the issue. Think about a pentesting group trying to find bugs in every of the thousands and thousands of apps revealed on Play, rooting out points like dangerous TLS configurations that expose community site visitors or listing traversal vulnerabilities that allow adversaries learn from or write to an app’s personal information.
We’re dedicated to maintaining our joint customers protected. In severe instances, if a safety vulnerability does not get fastened, Google might take away the app from Google Play to maintain customers secure.
Android Utility Safety Information Base
We all know that it isn’t at all times sufficient to only let you know a few vulnerability in your app; it’s worthwhile to know find out how to repair the difficulty and find out how to stop comparable points from cropping up sooner or later. To this finish, we’re introducing our safety steering and proposals below a brand new program: the Android Utility Safety Information Base (AAKB).
AAKB goals to determine pointers for writing safe Android software program. It’s a repository of frequent code points, with remediation examples and explanations for implementing particular code patterns. Natural in nature, new points are recognized mechanically for evaluation with consultants throughout the {industry} – making certain broad however well-tested approaches and steering.
Information collected out of your engagement with AAKB is used to enhance steering, and to determine find out how to make the Android ecosystem safer by default.
How Does it Work?
AAKB establishes clear, vetted steering with code examples. Steering is aligned to OWASP MASVS requirements, and content material is vetted in partnership with technical friends, similar to Microsoft. This helps make sure the content material will not be biased to at least one occasion and represents state-of-the-art requirements. This additionally supplies an academic place so that you can proactively remediate safety dangers in your purposes utilizing industry-wide requirements, with direct entry to data from subject-matter consultants.
The steering is obtainable by way of two mechanisms:
The AAKB homepage lists every article independently, aligned to the related OWASP MASVS class (e.g. MASVS-STORAGE). Anybody can view or present direct suggestions to this content material. Safety is an ever-changing discipline, and with the ability to replace steering on the fly means software program improvement lifecycles may be up to date dynamically with as little friction as potential.
Android Studio triggers remediation steering from lint checks by pointing on to AAKB articles. You may repair issues as you are constructing the app and earlier than they ever attain customers.
There are two strategies to view remediation steering with Android Studio:
Current safety lint checks inside Android Studio Giraffe+ have had their descriptions up to date to incorporate a hyperlink to the related AAKB article, permitting you get extra context as to why a selected code snippet is likely to be doubtlessly “at-risk”.
In the meantime, the open-source Android Safety lint checks provide you with entry to our most up-to-date steering and experiments to additional defend your cellular purposes and get forward of future safety considerations.
Add the open supply checks to your venture by following the README. These lint checks all comprise click-to-fix performance that make it simple so that you can write safer code with minimal effort, in addition to hyperlinks to the related AAKB articles just like the built-in IDE checks.
All built-in IDE lint checks may be present in this listing, with many below the Safety class containing hyperlinks to related AAKB articles. We might love to listen to your suggestions and ideas for brand new lint checks and different enhancements to the open-source lint library.
