Validaciones y Seguridad

Security in mobile application development is a fundamental aspect that every programmer must consider. Vulnerabilities in the code can expose sensitive user data, compromising their privacy and your company's reputation. Fortunately, there are specialized tools that allow us to detect and correct these problems before they become real security breaches.

How to detect vulnerabilities in our applications?

IT security is a constantly evolving field, and keeping up to date with best practices is essential. One of the most respected organizations in this field is the Open Web Security Project (OWASP), founded by Mark Kuppe, a renowned programmer and author of numerous books on software security. This open source project is dedicated to identifying and combating software insecurities.

Among the tools offered by OWASP, we find OWASP Dependency Check, a utility that validates our code against a database of known vulnerabilities. This comparison allows us to identify potential security problems before our application goes into production.

Implementing OWASP Dependency Check in Android Studio

To implement this tool in our Android project, we must follow these steps:

1. Add the necessary dependencies in our build.gradle file at the project level.
2. Also include the dependencies in the build.gradle at the application level.
3. Synchronize the project to load the new dependencies.
4. Run the analysis from the Android Studio terminal with the command:

dependency check analyze

This process connects our project with the National Vulnerability Database (NVD), which classifies vulnerabilities according to their severity using a standardized nomenclature system.

Optimizing the analysis with API Key

To make our queries faster and more efficient, it is advisable to obtain an API Key from the National Vulnerability Database:

1. Visit the developer section on the NVD page.
2. Complete the form with:
   • Name of the organization or application
   • Email address
   • Type of organization
3. Accept the terms and conditions.
4. Receive the API Key in the email provided.

Once the key is obtained, we must add it to our build.gradle at application level to inform Dependency Check that we have privileged access to the database.

How to protect sensitive data in our application?

Even if our application does not present security problems in the analysis, it is always advisable to implement additional measures, especially if we handle sensitive information. A common practice is to hide data when the application enters background mode.

To implement this security measure, we can add the following code in our MainActivity:

// This prevents screenshots from being taken when the app is in multitasking mode// thus protecting sensitive datawindow.setFlags( WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE)

This simple addition prevents screenshots from being taken when the application is in multitasking mode, thus protecting sensitive information that may be visible.

How to improve the readability of our code?

In addition to security, code readability is crucial for long-term maintenance and collaboration with other developers. For this, we can use tools like KLint, which works as a "spell checker" for our code.

Implementing KLint in Android Studio

To incorporate KLint in our project:

1. Add the necessary dependencies in the build.gradle file.
2. Synchronize the project.
3. Run the analysis from the terminal with:

klint check

This command will check all our code and will show suggestions for improvement, such as unnecessary whitespace between code and comments.

To automatically apply the suggested corrections, we can run:

klint format

KLint will take care of fixing all simple formatting errors, significantly improving the readability and consistency of our code.

The implementation of these validation tools allows us to develop more secure applications with cleaner code. Remember that security is not an end state but an ongoing process that requires constant attention. Have you used any of these tools in your projects? Share your experience in the comments.