Posted by: Bessie Jiang – Software Engineer, Chris Schneider – Security Engineer
Contributors: Maciej Szawłowski – Security Engineer, Hannah Barnes – Technical Program Manager, Dirk Göhmann – Technical Writer, Patrick Mutchler – Software Engineer
Security is hard, but it’s essential to protect your users and their data. We help you build more secure Android apps with fewer vulnerabilities, and create a safer Android ecosystem for everyone.
Vulnerability detection – how it works
Google currently scans every app on Google Play for dozens of common classes of security vulnerabilities. If we find any issues, we’ll let you know so you can fix them. Imagine a penetration testing team hunting for bugs in each of the millions of apps published to Play, rooting out issues like improper TLS configurations that expose network traffic, or directory traversal vulnerabilities that allow an adversary to read and write an app’s private files.
We are committed to protecting our shared users. In severe cases, if security vulnerabilities are not fixed, Google may remove your app from Google Play to keep our users safe.
Android Application Security Knowledge Base
We know that just telling you about app vulnerabilities isn’t enough — you also need to know how to fix the issues and how to prevent similar issues from happening in the future. To this end, we’re introducing security guidance and recommendations in a new program called the Android Application Security Knowledge Base (AAKB).
The AAKB aims to establish guidelines for writing secure Android software. It is a repository of common code issues, with example fixes and instructions for implementing specific code patterns. In essence, new issues are identified automatically and reviewed by experts across the industry to ensure a wide range of well-tested approaches and guidance.
Data collected from our collaboration with AAKB will be used to improve our guidance and identify ways to make the Android ecosystem more secure by default.
How does it work?
AAKB establishes clear, vetted guidance with code examples. The guidance is aligned with OWASP MASVS standards, and content is vetted in partnership with technical stakeholders such as Microsoft. This ensures that content is not biased and reflects state-of-the-art standards. It also provides an educational platform for proactively remediating application security risks using industry standards and direct access to subject matter expert knowledge.
Guidance is available through two mechanisms:
The AAKB homepage lists each article individually under the relevant OWASP MASVS category (e.g. MASVS-STORAGE), and anyone can view this content and provide feedback directly. Security is a constantly changing field, and being able to update guidance on the fly means that it can be updated dynamically with as little friction as possible into the software development lifecycle.
Android Studio triggers remediation guidance from lint checks with direct references to AAKB articles, allowing you to fix issues while you’re building your app, before they reach your users.
There are two ways to view remediation guidance in Android Studio:
The descriptions of existing security lint checks in Android Studio Giraffe+ have been updated to include links to relevant AAKB articles, providing more context about why a particular code snippet may be potentially “dangerous.”
Meanwhile, the open-source Android Security Lint checks give you access to the latest guidance and experiments to better protect your mobile applications and get ahead of future security concerns.
Follow the README to add open source checks to your project. All of these lint checks include click-to-fix functionality to help you easily write more secure code with minimal effort, and also include links to related AAKB articles for built-in IDE checks, etc.
All built-in IDE lint checks can be found in this list, and many of the security categories include links to relevant AAKB articles. We welcome your feedback and suggestions for new lint checks or other improvements to our open source lint library.
