Android Operating System: Architecture, Security Challenges and Solutions

17 
Using Networking 
Network transactions are inherently risky for security, because it involves transmitting data that is 
potentially private to the user. People are increasingly aware of the privacy concerns of a mobile device, 
especially when the device performs network transactions, so it's very important that user’s app 
implement all best practices toward keeping the user's data secure at all times. 
Using IP Networking 
 
Networking on Android is not significantly different from other Linux environments. The key 
consideration is making sure that appropriate protocols are used for sensitive data, such 
as HttpsURLConnection for secure web traffic. We prefer use of HTTPS over HTTP anywhere that HTTPS 
is supported on the server, because mobile devices frequently connect on networks that are not 
secured, such as public Wi-Fi hotspots. 
Authenticated, encrypted socket-level communication can be easily implemented using 
the SSLSocket class. Given the frequency with which Android devices connect to unsecured wireless 
networks using Wi-Fi, the use of secure networking is strongly encouraged for all applications that 
communicate over the network. 
We have seen some applications use localhost network ports for handling sensitive IPC. We discourage 
this approach since these interfaces are accessible by other applications on the device. Instead, you 
should use an Android IPC mechanism where authentication is possible such as with a Service. (Even 
worse than using loopback is to bind to INADDR_ANY since then user’s application may receive requests 
from anywhere.) Also, one common issue that warrants repeating is to make sure that you do not trust 
data downloaded from HTTP or other insecure protocols. This includes validation of input 
in WebView and any responses to intents issued against HTTP. 

Download 0,84 Mb.

Do'stlaringiz bilan baham: