Chapter 6. Securing Server Interactions

The previous chapters have all dealt with data stored on the Android device. Now, we move on to securing data transmission off of the device to other parties, notably servers that the client application interacts with. In this case, we make use of some of the cryptographic constructs that we introduced previously, and look at mechanisms that Android shares with other common platforms. As always, the risk analysis of the data we are transferring over the network will dictate the level of protection we need to include.

Confidentiality and Authentication

When data is being sent off of the device to somewhere else, a security-minded developer must consider two primary considerations. The first is authentication. In this context, we refer to the capability of verifying that the entity we are communicating with, either sending data to or receiving data from, is the entity that we think it is. This is important for many reasons. First, we may want ensure that a computer to which we are uploading data from the device is an entity that should have it. Thus, in our example of a social media aggregator, we should send the Facebook username and password only to a Facebook server. Otherwise, we may be exposing confidential data to a party that should not have access to it, which must be avoided. Also, we may want to download data only from a trusted source. If our social media aggregator does not verify that the server it is talking to really belongs to ...

Get Application Security for the Android Platform now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.