What You Ought To Know About Android WebViews

July 11th, 2014

androidsecuritylogo.pngDo you use WebViews in your Android app? If you say ‘no’, are you sure? What about 3rd party libraries/SDKs that you have included? Many such as ad libraries, Facebook and LinkedIn use WebViews.

In researching references for AndroidSecurity.guru I realised the use of WebViews is probably the area most overlooked when it comes to security. They are usually used to simplify development in that changes can be made at the server without an app re-install. They are also used by the majority of app creation tools because HTML and Javascript are very easy to dynamically create and run (in WebViews).

The problem is that WebViews come with lots of security holes. There’s generally two areas of concern. The first is classic cross site scripting where, for whatever reason (e.g. WiFi man in the middle attack or server side breach), the app ends up using rogue HTML/Javascript. The second problem area is the bridge from Javascript to app Java code which allows all your app programming interfaces to become visible.

I have some suggestions for tightening up WebView security. However, some of the suggestions might limit the functionality required of your WebViews. Also, it’s difficult to apply these suggestions to 3rd party SDKs, especially when you don’t have the source code.

For apps, for example banking and payment apps, that deal with sensitive data and really have to be secure, I’d think deeply if you really need to be using WebViews or 3rd party SDKs incorporating WebViews.

Related Articles:

Latest Market Research

July 10th, 2014
I am still regularly updating my Pinterest-style site on smartphone market research. Some very recently added links include…
  • US Android Users Most Engaged During Evening with 39 percent Share of Daily Activity
  • Samsung and Apple Devices Dominate Smartphone Device Model Top 20
  • How Many Of The Top 200 Mobile Apps Use Deeplinks?
  • Apps Now Drive Half of All Time Spent on Digital
I have increased the depth of the home web page so that it goes back to last March. Click on ‘previous’ at the bottom to see earlier entries.

Mobile Payments and Banking Market Map

July 7th, 2014
firstpartner.gifThe 2014 edition of FirstPartner’s free Mobile Payments and Banking Market Map is available for download. It shows the key payment and banking services, value chains, providers and gives some key numbers.

The description on the FirstPartner site also gives a great overview of how the payments ecosystem has changed over the last year.

In practice, m-Payment has been slow to get going. Both 2012 and 2013 were predicted to be ‘the year of mobile payment’ but this didn’t happen. While people are executing mobile transactions they tend to be inter-account transfers rather than payment for goods. There’s still a perceived security risk and friction during checkout is causing people to abandon checkouts. People want to pay by mobile. They need a single system that’s easy to use.

Related Articles:

Android Malware War of Words

July 4th, 2014

trendmicro.pngGoogle’s head of Android security, Adrian Ludwig, has said that people buying anti-malware software for Android will probably get no extra protection over that already provided by Google Play services. The risk of potentially harmful applications ending up on users’ devices is significantly overstated and the actual risk of a damaging app being installed is extraordinarily low. Instead of showing how many users are actually affected reports focus on how many potentially malicious app exist and not whether they are ever installed.

Obviously, anti virus vendors have started responding. Trend Micro’s Rik Ferguson says

"Over 46% of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play. [Trend Micro have] so far analysed 3.7 million Android apps and updates, 18% of those apps have been classed as malicious and a further 13% as High Risk."

Rik says Google’s estimation of how many apps are malicious might be wrong because their library of malicious and high-risk apps might be limited. You can only detect what you know about.

So who’s right? It’s certainly true that on the desktop and when doing web site security evaluation it’s best to use more than one tool. However, 13% of Play apps high risk? I don’t think anyone has experienced that kind of number. Then again, it depends what ‘high risk’ means. If this includes apps that are poorly written, have severe vulnerabilities and leak private information as opposed to those that are actively written to be malicious then this number might be true.

Meanwhile, if you are interested in the malware threat you might also look at the Virus Bulletin’s very recent article on how malware authors are obfuscating their code. Turning things around, how malware authors are obfuscating their code can also be used to help protect your apps. There’s also more in my recently updated obfuscation article

Related Articles:

Increase App Discoverability With Deep Linking

July 3rd, 2014


URXblog has recent research that shows that only 22% of apps have added deep link tags to their web sites for at least one mobile operating system. The research shows that some areas such as travel have yet to catch on to the fact that their apps can be better discovered if they use deep linking.
As URXblog says…

"We are at a turning point in the mobile app ecosystem where deeplinking is becoming a priority and not just a feature."

Deep linking is promotion for free so check out the Google and iOS (Registering Custom URL Schemes) documentation. There’s also more information at mobiledeeplinking.org.

UPDATE: URXblog added some additional insights on deep linking.

Related Articles:

How To Write Secure Android Apps

July 2nd, 2014

androidsecuritylogo.pngIf you follow this site you will know I take a special interest in Android security. As a result of a particular project, I have taken an even deeper interest more recently and have come to the conclusion, having read lots of papers and studies, that many Android developers unintentionally make some very poor security decisions when coding. Security isn’t on their radar. However, what with the growing number of vulnerabilities, unpatched OEM devices and malware it’s easy to get caught out. For example Skype, WhatsApp and Samsung have all had embarrassments and it’s well known banking apps leak information.

The good news is that it’s possible to protect sensitive data, for most of the time, by following some simple guidelines. For critical data, such as financial and banking data, it’s also possible to protect it in such way that it’s mathematically impossible to access even when a device has been rooted or malicious code has obtained root privileges.

Most of the Android security sites and books have been written by security researchers and show how to hack Android as opposed to protect apps. I decided to approach the problem from the other direction and have created a free site, AndroidSecurity.guru with Android programming guidelines that can hopefully raise awareness and help developers become Android Security gurus.


Related Articles:

Apps Used More Than the Desktop

July 1st, 2014

comscore.gifComScore has an interesting press release that says that Apps Now Drive Half of All Time Spent on Digital. What’s especially interesting is that Comscore is saying apps are used more, rather than mobile is used more than the desktop. Here’s the split by app category…

One of the main drivers of use of apps rather than the desktop is communication via social networks. This is understandable because the phone is a natural communication device because it’s portable while the desktop isn’t. The top usecase, looking up information, is less obvious and shows that usability must be improving for people to want to use mobile instead of the desktop.

Related Articles:

The Secret of a Successful App

June 30th, 2014

googleio.pngI caught up on Google I/O 14 over the weekend by watching the Android-related videos I hadn’t seen in the week. It turns out the more compelling ones were not specifically about Android.

The session on Perfectly Executing The Wrong Plan gives an example how it’s easy to get excited about an idea and the implementation and ignore the importance of doing market research. It also explains how it’s easy to get misled if you use friends and family when doing market research.

In many ways this session demonstrates the importance of the business model. Just because your idea’s an app or mobile web site doesn’t mean you don’t need a business model. Take a look at Business Model Generation (and the book) and start filling your key activities, partners, resources, cost structure, customer relationships, segments, value propositions, channels and revenue streams. If you are at this stage in the product cycle then you might also want to read my mobile development primer.

A second session I found interesting had actually very little to do with mobile and Android. Biologically inspired models of intelligence given by Ray Kurzweil describes how Google is developing artificial intelligence.

[If you like that session you should also take a look at David Wood’s (of Symbian fame) Anticipating 2025 eBook based on the conference of the same name.]

Related Articles: