In May this year, Google in the I / O conference announced , Kotlin language programming language of choice for its Android application developers.
Kotlin is a modern application-oriented programming language multi-platform, as Google Android application development language of choice after, many developers gradually turned Kotlin from Java. According to the latest survey showed that 62 percent of developers use Kotlin to build mobile applications, and another 41% of developers use to build Web backend Kotlin project.
With the emergence of Kotlin, more and more well-known organizations pay more attention to the security of mobile applications. Recently by the DHS and NIST union of a safety study on mobile device discovery, application vulnerabilities usually do not follow secure coding causes of these vulnerabilities would cause some harm to the user's data.
For Kotlin developers familiar with the language and learn about secure coding mobile applications is very important. Here are some common vulnerabilities encountered when using Kotlin:
Insecure data storage
Android ecosystem provides several methods for storing data for the application. Developers storage type used depends points: type of data stored, the use of data and whether the data should be kept private or shared with other applications.
The common coding mistakes are stored in plain text sensitive information. For example, often find the API password, and PII (Personally Identifiable Information) in applications that use the "Shared Preference" or database, because the attacker can access the database application (root device, the backup application, etc.), thereby retrieval other applications of the user's credentials, such negligence more and more lose important data.
Non-secure communications
Currently, most mobile applications in a client-server in a way for exchanging data, when communicating, the user data will be in the mobile operator network, or a WiFi network and the Internet between certain transmission. It is this process, an attacker can take advantage of a weak link in one of the attack. If the data transmission do not use SSL / TLS encryption, the attacker can monitor not only the communication data transmitted in the clear, but also can steal data exchange and perform middle attack.
In order to prevent unsafe communication, the network layer must always be considered unsafe, and continue to ensure that all communications between the mobile program and back-end server is encrypted.
Unsafe certification
Input mechanism of a mobile device, for example 4-PIN code, or the like based on the identity verification TouchID properties, will lead to the identity of the mobile application's authentication insecure and vulnerable to attacks.
Unless there are functional requirements, or mobile applications do not need to be authenticated in real-time back-end server. Even if there is a back-end server, users usually do not need are online at any time. This is to verify the identity of mobile applications has brought great challenges, each time to authenticate the machine, you can authenticate on jailbroken devices manipulate or modify a binary file is run to get around.
Authentication is not just unsafe to guess the password, the default user account or destroy data. Sometimes, you can bypass the authentication mechanism, the system can not identify the user and record the (malicious) behavior.
Code tampering.
The so-called code tampering means: After downloading an application on the device, the application code and data are stored in the device. Since most applications are common, leading to attacks can be modified code, operating memory contents, change or replace the system or data API and modify the application's resources.
To prevent tampering with the code, it is important to be able to detect mobile application code has been added or changed at run time. The team should make the appropriate action, code violations reported to the server or the shutdown.
There are always people who better than you. Technology is always evolving, the future will continue to expose the new application security vulnerabilities, some of vigilance by coding errors, developers can build a more secure Android applications, to avoid the trap.
Use of technology is always evolving; the future may be based on the discovery of new vulnerabilities may be exposed to new applications tampering dependencies point. By understanding these coding errors, developers can build a more secure Android applications, and avoid the trap of these conditions may result.
Reference: sdtimes