1. Introduction

1.1. Building a Secure Smartphone Society

This guidebook is a collection of tips concerning the know-how of secure designs and secure coding for Android application developers. Our intent is to have as many Android application developers as possible take advantage of this, and for that reason we are making it public.

In recent years, the smartphone market has witnessed a rapid expansion, and its momentum seems unstoppable. Its accelerated growth is brought on due to the diverse range of applications. An unspecified large number of key functions of mobile phones that were once not accessible due to security restrictions on conventional mobile phones have been made open to smartphone applications. Subsequently, the availability of varied applications that were once closed to conventional mobile phones is what makes smartphones more attractive.

With great power that comes from smartphone applications comes great responsibility from their developers. The default security restrictions on conventional mobile phones had made it possible to maintain a relative level of security even for applications that were developed without security awareness. As it has been aforementioned with regard to smartphones, since the key advantage of a smartphone is that they are open to application developers, if the developers design or code their applications without the knowledge of security issues then this could lead to risks of users’ personal information leakage or exploitation by malware causing financial damage such as from illicit calls to premium-rate numbers.

Due to Android being a very open model allowing access to many functions on the smartphone, it is believed that Android application developers need to take more care about security issues than iOS application developers. In addition, responsibility for application security is almost solely left to the application developers. For example, applications can be released to the public without any screening from a marketplace such as Google Play (former Android Market), though this is not possible for iOS applications.

In conjunction with the rapid growth of the smartphone market, there has been a sudden influx of software engineers from different areas in the smartphone application development market. As a result, there is an urgent call for the sharing knowledge of secure design and consolidation of secure coding know-how for specific security issues related to mobile applications.

Due to these circumstances, Japan’s Smartphone Security Association (JSSEC) has launched the Secure Coding Group, and by collecting the know-how of secure design as well as secure coding of Android applications, it has decided to make all of the information public with this guidebook. It is our intention to raise the security level of many of the Android applications that are released in the market by having many Android application developers become acquainted with the know-how of secure design and coding. As a result, we believe we will be contributing to the creation of a more reliable and safe smartphone society.

1.2. Timely Feedback on a Regular Basis Through the Beta Version

We, the JSSEC Secure Coding Group, will do our best to keep the content contained in the Guidebook as accurate as possible, but we cannot make any guarantees. We believe it is our priority to publicize and share the know-how in a timely fashion. Equally, we will upload and publicize what we consider to be the latest and most accurate correct information at that particular juncture, and will update it with more accurate information once we receive any feedback or corrections. In other words, we are taking the beta version approach on a regular basis. We think this approach would be meaningful for many of the Android application developers who are planning on using the Guidebook.

The latest version of the Guidebook and sample codes can be obtained from the URL below.

The latest Japanese version can be obtained from the URL below.

1.3. Usage Agreement of the Guidebook

We need your consent for the following two precautionary statements when using the Guidebook.

  1. The information contained in the Guidebook may be inaccurate. Please use the information written here by your own discretion.
  2. In case of finding any mistakes contained in the Guidebook, please send us an e-mail to the address listed below. However, we cannot guarantee a reply or any revisions thereof.

Japan Smartphone Security Association

Secure Coding Group Inquiry

E-mail: jssec-securecoding-qa@googlegroups.com

Subject: [Comment] Android Secure Coding Guidebook 20191201EN

Content: Name (optional), Affiliation (optional), E-mail (optional), Comment (required) and Other matters (optional)

1.4. Correction articles of December 1, 2019 edition

This section provides a list of corrections and modifications for the previous edition from the viewpoint of security, as a result of further studies.

In correcting articles, we adopted the outcomes of our studies and the valuable opinions of those who read the former editions of this guidebook.

Especially, taking in readers’ opinions is considered as a key factor in making the document highly practical.

We recommend, for those who use a previous edition of the document as a reference, taking a look at the list below. Note that the list does not include the following kinds of changes and error corrections: fixes of typos, organizational changes, and improvements in expression.

Any comments, opinions or suggestions on this guidebook are greatly appreciated.

Table 1.4.1 List of revisions
Section revised in 12/1/2019 version Section revised in this version Revision
3.1.1.2. Function Assets of an Android Smartphone 3.1.1.2. Function Assets of an Android Smartphone Added an explanation that the update info on the funcational assects.
(not applicable) 4.6.3.7. Application of Scoped Storage in Android 11 (API Level 30) Added an explanation that the scoped storage on Android 11.0(API Level 30).
5.2.3.6. Modifications to the Permission model specifications in Android versions 6.0 and later 5.2.3.6. Modifications to the Permission model specifications in Android versions 6.0 and later Added an explanation that the one time permissions on Android 11.0(API Level 30).
(not applicable) 5.2.3.7. Function That Automatically Resets Unused App Permissions in Android 11.0 and Later Added an explanation that the auto reset permissions on Android 11.0(API Level 30).
(not applicable) 5.5.3.5. Data Access Auditing on Android 11 Added an explanation that the data access auditing and the sample code on Android 11.0(API Level 30).
(not applicable) 5.5.3.6. Location Information Access on Android 11 Added an explanation that the location information access on Android 11.0(API Level 30).
(not applicable) 5.6.3.6. Conscrypt Module Added an explanation that the Conscrypt module and the difference between Android 9 / Android 10.
(not applicable) 5.7.3.2. Changes to Biometric Authentication on Android 11 Added an explanation that the changes of biometric authentication features on Android 11.0(API Level 30).