security-showcase-android
kotomisak
121
Visit GitHub RepoSecurity

Security showcase

Sample application was suspended from GooglePlay because it again: violates the deceptive device settings changes policy. Even when I already fixed first violation.
It's again because of usage of BIND_DEVICE_ADMIN for API 19. Since I have been actively working on version 3 of the KeystoreCompat library, I will solve this violation alongside with releasing that new library version

SecurityShowcase

License

Branch Status
master Build Status
developV2 Build Status
developV3 Build Status

This is sample application pointing some security related practices on Android device.
SecurityShowcase architecture is MVVM based on Google's architecture component.
Complete server-side endpoint implementation for this project is available on GitHub KoTiNode.

Android keystore

Android keystore basics

SecurityShowcase application contains example of using standard Android Security with the Keystore. All Android Keystore related stuff is bundled in KeystoreCompat library (available in this source code).

KeystoreCompat library should help to prevent pain when starting work with keystore from the official documentation or StackOverflow discussion. The main point of this library is to provide the same services for all backward (...Compat) supported API versions (19+). The backward support is something, what all available libraries and blog posts lacks!


[KeystoreCompat documentation](./android-keystore-compat/readme.md)
KeystoreCompat variant Readme JCenter
KeystoreCompat default (K+) KeystoreCompat Download
KeystoreCompat L+ KeystoreCompat-elPlus Download
KeystoreCompat M+ KeystoreCompat-emPlus Download

KeystoreCompat princip



STRV

Encrypted Realm

For sample implementation of the Realm persistence encryption look at DB Showcase repository.
Related article describing this encryption is available on Medium Encrypted Realm & Android Keystore

Rooted device detection

Very lightweight but powerful solution is using RootBear library which is also used by KeystoreCompat library.
Another solution is to use robust google solution SafetyNet (used for example by AndroidPay solution). SafetyNet is complex online/offline device checking solution, but it requires Google Play Services dependency.

Json Web Token

SecurityShowcase backend/client is using Json Web Token (JWT) to wrap all authentization payload. JWT RFC 7519 is in fact base64 string (easy to transfer in header) containing lot of information and is readable by anyone. JWT is signed by the server, so server can verify JWT (returning from the client) to be not malformed.

How does the process works?

LOGIN PHASE / AUTHENTICATION

  • client/app sends credentials (username/password) and requests authentication token (JWT)
  • server creates JWT (based on correct credentials) and sign this token with the secret. JWT also contains additional information related to authentized user.
  • client/app obtain proper JWT containing all information about the user and will store this token for the future use.

SECURED REQUESTS / AUTHORIZATION

  • client/app bundle JWT to header of any secured request
  • server verify obtained JWT against original secret (to be not malformed) and then use any information (token validity, users role, users id ...) in the token to authorize user for current operation.

GraphQL

Showcase contains sample implementation of communication with the graphql endpoint (besides the REST).

Apollo client

Official Apollo Android doc

Graph schema

schema.json definition file is not composed manually, but is always completely downloaded from the server. Before download just ensure you have already installed apollo-codegen. If not install it by using npm install apollo-codegen
Generate schema.json using this command apollo-codegen download-schema http://kotopeky.cz/graphql --output schema.json

GraphiQL

GraphiQL console allows to try call query manually, let's try it here:

Login GraphiQL

About GraphQl on the web

02/2017 Using Apollo client for Android 0.1.0
04/2017 Using Apollo client for Android 0.3.0

SecurityShowcase gradle notes

Switch keystore-compat-dependency local/maven To use keystore compat directly from local sources uncomment keystore.compat.dependency.type=local in gradle.properties

Build sample app

  • ./gradlew assembleRostiRelease

Dependency diagnostic

  • ./gradlew dependencyReport --configuration compile
  • ./gradlew dependencyInsighty --configuration compile --dependency com.android.support:appcompat-v7
  • ./gradlew dependencyInsighty --configuration compile --dependency org.jetbrains.kotlin:kotlin-stdlib
Become a better Android Developer
Millions of developers are learning at MindOrks

Online Training Program

Featured Blogs

Our Team

MindOrks is Certainly one of the best online blog to stay on top of all the Android development news, coding and design patterns. Finally a blog I can count on to keep myself updated with latest and greatest things happening in Android world.

Vipul Shah
Android Developer
Microsoft

Become Pro in Android by watching videos

OUR LEARNERS WORK AT