Android Application Secure Design/Secure Coding Guidebook
The content of this guide is up to date as of the time of publication, but standards and environments are constantly evolving. When using sample code, make sure you are adhering to the latest coding standards and best practices.
JSSEC and the writers of this guide are not responsible for how you use this document. Full responsibility lies with you, the user of the information provided.
Android is a trademark or a registered trademark of Google Inc. The company names, product names and service names appearing in this document are generally the registered trademarks or trademarks of their respective companies. Further, the registered trademark ®, trademark (TM) and copyright © symbols are not used throughout this document.
Parts of this document are copied from or based on content created and provided by Google, Inc. They are used here in accordance with the provisions of the Creative Commons Attribution 3.0 License
Revision history
- 2014-04-01
Initial English Edition
- 2014-07-01
- Added new articles below
- 2015-06-01
- We have reviewed the entire document in accordance with the following policy
Change of development environment (Eclipse -> Android Studio)
Responding to Android latest version Lollipop
Change of API Level (8 or later -> 15 or later)
- 2016-02-01
- Added new articles below
- Revised article below
- 2016-09-01
- Revised articles below
- 2017-02-01
- Added new articles below
- Revised articles below
- Deleted the section below
4.8.3.4 BuildConfig.DEBUG Should Be Used in ADT 21 or Later
- We have reviewed the entire document in accordance with the following policy
All discussions in the main text concerning Android 4.0.3 (API Level 15) and earlier versions have been deleted or moved to footnotes.
- 2018-02-01
- Added new articles below
- Revised articles below
- 2018-09-01
- Added new articles below
- Revised articles below
4.5.3.6. [Reference] Encrypt SQLite Database (SQLCipher for Android)
5.2.1.2. How to Communicate Between In-house Applications with In-house-defined Signature Permission
5.4.3.2. Install Root Certificate of Private Certificate Authority to Android OS's Certification Store
5.4.3.8. (Column): Transitioning to TLS1.2/TLS1.3 for secure connections
- 2019-12-01
- Added new articles below
- Revised articles below
4.1.3.1. Combination of Exported Attribute and Intent Filter Setting (For Activity)
4.4.3.1. Combination of Exported Attribute and Intent-filter Setting (In the Case of Service)
4.6.3.5. Revised specifications in Android 7.0 (API Level 24) for accessing specific directories on external storage media
5.2.3.6. Modifications to the Permission model specifications in Android versions 6.0 and later
5.4.3.8. (Column): Transitioning to TLS1.2/TLS1.3 for secure connections
5.5.1.2. Broad consent is granted: Applications that incorporate application privacy policy
5.6.2.2. Use Strong Algorithms (Specifically, Algorithms that Meet the Relevant Criteria) (Required)
5.6.3.3. Measures to Protect against Vulnerabilities in Random-Number Generators
- 2020-11-01
- Added new articles below
- Revised articles below
- 2021-10-19
- Added new articles below
- Revised articles below
- 2022-01-17
- Revised articles below
- 2022-08-29
- Added new articles below
- Revised articles below
Note: For a detailed description of these revisions, see Section “1.4. Articles Revised from January 17, 2022 Edition”
In preparing a new version for public release, we have revised the content of this guidebook based on opinions, comments and suggestions received from readers.
Published by
Japan Smartphone Security Association Secure Coding Working Group, Smartphone Technology Committee
Leader |
Tsutomu Miyazaki |
LAC Co. ltd. |
Member |
Pantuhong Sorasiri |
LAC Co. ltd. |
Akihiro Shiota |
NTT DATA Corporation |
|
Teruaki Honma |
KDDI CORPORATION |
|
Harunobu Agematsu |
KDDI CORPORATION |
(In no particular order)