1. Introduction

1.1. Building a Secure Smartphone Society

This guidebook is a collection of tips concerning the know-how of secure designs and secure coding for Android application developers. Our intent is to have as many Android application developers as possible take advantage of this, and for that reason we are making it public.

In recent years, the smartphone market has witnessed a rapid expansion, and its momentum seems unstoppable. Its accelerated growth is brought on due to the diverse range of applications. An unspecified large number of key functions of mobile phones that were once not accessible due to security restrictions on conventional mobile phones have been made open to smartphone applications. Subsequently, the availability of varied applications that were once closed to conventional mobile phones is what makes smartphones more attractive.

With great power that comes from smartphone applications comes great responsibility from their developers. The default security restrictions on conventional mobile phones had made it possible to maintain a relative level of security even for applications that were developed without security awareness. As it has been aforementioned with regard to smartphones, since the key advantage of a smartphone is that they are open to application developers, if the developers design or code their applications without the knowledge of security issues then this could lead to risks of users' personal information leakage or exploitation by malware causing financial damage such as from illicit calls to premium-rate numbers.

Due to Android being a very open model allowing access to many functions on the smartphone, it is believed that Android application developers need to take more care about security issues than iOS application developers. In addition, responsibility for application security is almost solely left to the application developers. For example, applications can be released to the public without any screening from a marketplace such as Google Play (former Android Market), though this is not possible for iOS applications.

In conjunction with the rapid growth of the smartphone market, there has been a sudden influx of software engineers from different areas in the smartphone application development market. As a result, there is an urgent call for the sharing knowledge of secure design and consolidation of secure coding know-how for specific security issues related to mobile applications.

Due to these circumstances, Japan's Smartphone Security Association (JSSEC) has launched the Secure Coding Group, and by collecting the know-how of secure design as well as secure coding of Android applications, it has decided to make all of the information public with this guidebook. It is our intention to raise the security level of many of the Android applications that are released in the market by having many Android application developers become acquainted with the know-how of secure design and coding. As a result, we believe we will be contributing to the creation of a more reliable and safe smartphone society.

1.2. Timely Feedback on a Regular Basis Through the Beta Version

We, the JSSEC Secure Coding Group, will do our best to keep the content contained in the Guidebook as accurate as possible, but we cannot make any guarantees. We believe it is our priority to publicize and share the know-how in a timely fashion. Equally, we will upload and publicize what we consider to be the latest and most accurate correct information at that particular juncture, and will update it with more accurate information once we receive any feedback or corrections. In other words, we are taking the beta version approach on a regular basis. We think this approach would be meaningful for many of the Android application developers who are planning on using the Guidebook.

The latest version of the Guidebook and sample codes can be obtained from the URL below.

The latest Japanese version can be obtained from the URL below.

1.3. Usage Agreement of the Guidebook

The user must agree to the following two terms and conditions when using this Guidebook.

  1. This Guidebook may contain inaccuracies. Please use this information at your own risk.

  2. If you find any errors contained in this Guidebook, please contact us by e-mail using the contact information below. Please note, however, that we cannot promise to respond to you or to make any corrections.

Japan Smartphone Security Association (JSSEC)

Contact Information

URL:https://www.jssec.org/contact

1.4. Articles Revised from August 29, 2022 Edition

This section contains the revisions that were found by checking the facts against the previous version of the article. Each revised article incorporates the results of ongoing research by the authors as well as a wide range of valuable suggestions from readers. In particular, the suggestions that we received are the most important factors in making this revised edition a more practical-oriented guide with a higher degree of completeness.

Readers who have been developing apps based on the previous version are requested to take a particular look at the list of revised articles below. The items listed here do not include corrections for typographical errors, changes in organization, or simple improvements in wording.

Any comments, opinions, or suggestions on this Guidebook are greatly appreciated.

Table of Revised Articles

Table 1.4.1 Revised Articles

Locations revised in the August 29, 2022 edition

Revisions in this revised edition

Description of revision

4.1.3.4. Root Activity

4.1.3.4. Root Activity

Added an explanation on singleInstancePerTask.

(Not applicable)

4.1.3.9. Restrictions on Implicit Intent and Pending Intent

Added an explanation on restrictions on intents in Android 14.

4.2.3.8. Enhanced Safety of Dynamic Broadcast Receiver

4.2.3.8. Enhanced Safety of Dynamic Broadcast Receiver

Added an explanation on the dynamic broadcast receiver in Android 14.

(Not applicable)

4.4.3.3. Requirement for Specifying of Service Types

Added an explanation on specifying of service types in Android 14.

(Not applicable)

4.4.3.4. Additional Restrictions on Launching Activities from the Background

Added an explanation on launching of activities in Android 14. This article will be updated as soon as operation is verified.

(Not applicable)

4.6.3.9. Partial Access to Images and Videos in Android 14 (API Level 34)

Added an explanation on access to images and videos in Android 14.

(Not applicable)

4.6.3.10. Enhanced Safety of DCL (Dynamic Code Loading)

Added an explanation on restrictions on DCL (Dynamic Code Loading) in Android 14.

(Not applicable)

4.6.3.11. Measures for Preventing Path Traversal by Zip Files

Added an explanation on measures to protect against path traversal vulnerabilities in Android 14.

(Not applicable)

4.10.3.5. Change in Operation for Notifications Indicating Progress

Added an explanation on the difference between Android 14 and earlier versions for the change in operation for notifications indicating progress.

(Not applicable)

5.2.3.12. Installable Minimum Target API Levels

Added an explanation on the installation restrictions for applications in Android 14.

(Not applicable)

5.2.3.13. Media Owner Package Names

Added an explanation on query restrictions on media owners in Android 14.