How to secure Android application

Question

For security within application, I am using below method to generate Keyhash.

private String getKeyHash() {
        PackageInfo info;
        String keyHash = null;
        try {
            info = getPackageManager().getPackageInfo(BuildConfig.APPLICATION_ID, PackageManager.GET_SIGNATURES);
            for (Signature signature : info.signatures) {
                MessageDigest md;
                //md = MessageDigest.getInstance(hashStretagy);
                md = MessageDigest.getInstance("SHA");
                //md = MessageDigest.getInstance(getK);
                md.update(signature.toByteArray());
                keyHash = new String(Base64.encode(md.digest(), Base64.NO_WRAP));
                Log.v("KeyHash : " , keyHash);

            }
        } catch (PackageManager.NameNotFoundException e1) {
            Log.v("name not found" , e1.toString());
        } catch (NoSuchAlgorithmException e) {
            Log.v("no such an algorithm" , e.toString());
        } catch (Exception e) {
            Log.v("exception" , e.toString());
        }
        return keyHash;
    }

is there any effective way for generating keyhash other than above method for securing application while calling API's.

Can we create SHA256 key, is this SHA256 key can be reverse engineered after building APK? Please help me on this.Thanks in advance.

Answer 1

INSTRUMENTATION FRAMEWORKS

For security within application, I am using below method to generate Keyhash.

No matter what type of code and how much you obfuscate it, all an attacker needs is to hook into your mobile app during runtime with an open source instrumentation framework, like Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

So the attacker discovers the function you are calling, then it hooks on it to listen for the return result and extract it to a command and control server or just modify it to any value it pleases him.

REVERSE ENGINEER

Can we create SHA256 key, is this SHA256 key can be reverse engineered after building APK?

Yes you can, and my preferred tool for doing it is the MobSF - Mobile Security Framework:

Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.

You can read the article How to Extract an API Key from a Mobile App with Static binary Analysis to see how I have used the MobSF to extract the API key, but the procedures will be similar to find and extract any other type of secret.

You can make the secret hard to find with static analysis by hiding it in native C code through the use of the JNI/NDK:

Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.

For an example implementation see this folder for the Currency Converter Demo, that is the companion mobile app for the article Steal that API Key with a Man in the Middle Attack:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

This article shows your how to use a proxy to carry a Man in the Middle attack, that is another technique widely used to extract secrets from a mobile app. I find it very useful when I am not able to find the secrets through static analysis.

In the article I am using a very popular open source tool, mitmproxy:

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

LOCK THE API TO THE MOBILE APP

is there any effective way for generating keyhash other than above method for securing application while calling API's.

I think what you are looking for is to lock your API server to only accept requests from your mobile app, and if that is the case then please read this reply I gave to the question How to secure an API REST for mobile app? for the sections on Securing the API Server and A Possible Better Solution.

Basically in that reply you can learn several techniques to defend your API server and try to lock it down to your mobile app with an high degree of confidence.

DO YOU WANT TO GO THE EXTRA MILE?

In any response to a security question I feel the need to reference the excellent work from the OWASP foundation.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

Answer 2

To start with, refer to the best practices guide by Google HERE and the OWASP Mobile top 10 guide.

However, from a personal experience, the above will only help you take care of the basic and common security. Being a part of a team of highly skilled developers, we still couldn’t keep up with the advancements and evolution of the modern cyber-attacks owing to the development tasks in hand. Proguard too worked only on a basic level and the more advanced attacks did manage to bypass.

What finally worked for us was partnering with a security solution. We chose AppSealing. There are other solutions available as well. Arxan, Appdome, Protectmyapp, Promon are the ones I remember. I am sure there are some more. These solutions will take care of the most recent attacks as well while you can concentrate on the development efforts. The integration is also pretty simple. AppSealing requires you to upload your apk and then download the protected file for distribution.

If you have an app that handles personal and financial information, you should definitely consider these rather than trying to manage security in-house.