SEWORKS-blog_banner.png

App Security Insights

What is APK?

Mar 12, 2018 7:00:00 AM / by AppSolid Team

What-is-APK-Blog-IMG.jpg

Android application package (APK) is the package file format used on Android operating systems, including tablets and smartphones. This file format uses the extension .apk or .xapk, just as Microsoft Word files use .doc or .docx. APK files include all of a program’s code, including other information such as certificates and manifest file.

Introducing APK: The Basics

Android files and apps are in APK file format. These packages are like giant boxes, which contain everything that’s necessary for a program to run. The files are compressed into a .zip file.

Both apps downloaded directly from the Play store and apps from other sources must be formatted in APK format. Most users install APK files by simply downloading an app from the Play store. But it’s also possible to manually install APK files.

The size of an APK varies greatly depending on the amount of information contained in the file, as well as whether the file has been compressed. Android Studio automatically creates APK files, allowing developers to seamlessly build their apps to be compatible with Android. APK Analyzer in Android Studio allows developers to easily analyze their apps for bugs and other common issues.

What’s in an APK?

APKs are home to the following directories:

  • assets/: This houses the app’s assets, which the app retrieves with an AssetManager object.
  • META-INF/: Home to the app’s certificates, including CERT.RSA and CERT.SF files, and the manifest file, which is stored as MANIFEST.MF.
  • Res/: Resources that aren’t included in resources.arsc.
  • Lib/: Home to code specific to the processor’s software layer. Includes a subdirectory for each platform.

A number of files are also included in in APK. Those include:

  • Classes.dex: houses classes compiled in the DEX file format that are understood by Dalvik/ART virtual machines.
  • Resources.arsc: Home to compiled resources. It houses XML content for all res/values folder configurations. The packaging tool then extracts this content, compiles it into binary, and archives ti.
  • Android.Manifest.xml: The only mandatory file included, this is home to the core manifest file for Android. This includes the name and version, referenced app library files, and access rights.

APK Size: An Issue Developers Must Consider

apk-file-size-blog-img.jpg

Because an APK contains a veritable cornucopia of data, it can be quite large. Android’s developer guide advises that users may avoid downloading very large APKs. This is both for practical and security reasons. Users on the go may be forced into slow downloads, while those in emerging markets may only have access to spotty 2G and 3G networks. Additionally, users may be suspicious of unusually large APKs, worrying that they contain lots of bloat, unnecessary apps or data, or even malware.

APK size can also affect how quickly an app loads, the amount of memory it uses, and the power it consumes. This, in turn, can affect the functionality of a user’s device. Users who find that their device runs more slowly while using your app may switch to a competitor. A few simple strategies can shrink your APK, making it more manageable for users and less time-consuming to download.

Those include:

  • Removing underutilized resources. A code analyzer such as Android Studio’s Lint can detect and remove resources your code doesn’t actually reference.
  • Support specific file densities. Android supports a wide range of devices, and for good reason: doing so maximizes the base of potential users. But if you know that none, or very few, of your users rely on devices with specific densities, you can consider no longer bundling them into the app.
  • Reduce resource use of libraries. A library designed for a desktop or server may contain much that your app does not need. You can edit library files if the license allows you to. You can also switch to a mobile-friendly library that adds app-specific functionality.
  • Recycle resources. Recycling works for apps, too. It’s possible to include separate resources for variations on images. It’s less resource-intensive to reuse the same set of resources, and customize them to the extent needed at runtime.
  • Downsize files. A variety of tools, including the aapt tool, can optimize image resources for PNG files, offering lossless compression. Compressing PNG and JPEG files offers similar benefits. The pngcrush tool in Android studio is especially adept at compressing PNG files, while packJPG can shrink JPEG files. Another option is to use the WebP file format, instead of using PNG or JPEG files.
  • Switch to vector graphics. Vector graphics are a simple way to use less space, but it can take a while for the system to render them. So consider using vector graphics for small images, and then compressing other graphic files.
  • Get rid of unnecessary code. Some protocol buffer tools create a string of classes and methods that can greatly increase the size of your app. You don’t need all of this code.
  • Remove debugging symbols if your app is no longer in development.
  • Break your app into several APKs. You can segment the app, differentiating APKs by GPU texture support and the like. Then, when users download your app, they receive the right APK.

And perhaps most importantly, know what’s actually in your APK. In today’s development environment, even novices can develop and market an app—sometimes without writing much code, or any code at all. Recycled code from a prior version of your app, code copied from someone else’s app, and code copied from message boards can present numerous issues. They may contain malware and other security issues. They can also bloat the size of your APK, creating a miserable user experience.

Security and usability are inseparable. Quality apps are more secure because security keeps those apps usable and prevents common user annoyances. If you’re not interested in combing through endless lines of code or attempting to reduce the size of your APK yourself, you need outside help.

AppSolid can help you create rock solid apps that protect your brand, your business, and your customers.

APK Security Issues

apk-security.jpg

Analysts have long debated the relative security of Android vs iOS apps. The open source nature of Android in conjunction with the ability of users to design and upload apps with no vetting have conspired to make Android apps less secure. Some developers, particularly novice developers, mistakenly believe that the rate of attacks is slowing - or that their app won’t be a target because it’s not well known or not sponsored by a major business. Forty-three percent of cyber attacks target small businesses.

This line of thinking can prove catastrophic. In today’s e-commerce environment, hacking is largely a crime of opportunity. So your risk of an attack is directly related to how many security protocols you have implemented. The harder it is to compromise your app, the less likely a criminal is to target you. Note that you’ll never know if you’ve added a vulnerability to your app until you’ve tested it. That’s the nature of open code.

Still unconvinced? Consider the following:

  • In 2016 alone, there were 8.5 million malicious installation packages and 128,886 mobile banking Trojans, along with more than 260,000 ransom Trojans.  
  • Contrary to popular belief, it’s not banking and pay apps that are most vulnerable. Instead, the reigning targets of criminals were lifestyle, game, and news apps.
  • One test found an average of 2.8 serious security issues per tested app. Twenty-one percent of apps had a high-risk security issue, with more than two such security issues per tested app with an identified high-risk issue.
  • The average data breach costs a company $3.8 million dollars. Cybercrime exacts a $500 billion toll from the world economy—and that figure is rising. By 2020, the average data breach is expected to exceed $150 million.
  • 6.5% of the population was victimized by identity fraud in 2017, and most identity theft victims don’t know about it.
  • Ransomware attacks increased 36% in 2017, with an average demand of $1,077.
  • At least 1 in 131 emails contains dangerous malware.
  • There are 230,000 new malware samples produced every day. Can you really assert that you’re protected against all of them?
  • There are more than 4,000 ransomware attacks each day.
  • Most businesses fail to detect a breach for extended periods of time. The average wait is 197 days.

An attack on consumers is an attack on your business. So don’t think for a second that you’ll be spared if it’s consumer data, not business data, that gets leaked. Businesses can be held civilly liable for breaches that they didn’t do enough to prevent. They can also lose any credibility they have in the eyes of consumers - a loss that can ultimately amount to the loss of the business.

Improving Security of Android Apps

Like any package file, APK has specific security vulnerabilities that bad actors can exploit. A number of specific development strategies can improve the security of Android applications.

Those include:

  • Implementing secure storage solutions. Don’t store unencrypted sensitive information, such as tokens and cryptographic keys, on the device. You should also avoid storing sensitive data in system logs, and prevent sensitive data from appearing in the WebView cache.
  • Protect against application backup vulnerabilities. Backups can allow a criminal to view or modify data stored on the device.
  • Protect data during transmission. External communication should occur only on a secure channel. Certificate pinning offers additional security by confirming that the backend certificate is the one expected by the app.
  • Minimize necessary permissions. The more data your app can access on the device, the more data it gives a criminal access to. Apps that are known to abuse permissions are popular targets, because criminals know that hacking these apps will give them access to much critical information.
  • Limit the information you collect and store. In an era where information is king, it’s tempting to gather as much customer information as you can - and to store it. This information puts you and your users at risk, and will make your app a target. Request only the information absolutely necessary to run the app. Resist the urge to demand more.

APK Security: More Than Just a Coding Issue

More-Than-Just-a-Coding-Issue-blog-img.jpg

Small businesses and developers alike frequently make the mistake of viewing APK security as solely a code or package issue. Write good code, encrypt data, and install updates, the thinking goes, and everything will be just fine.

The reality is that humans use mobile apps. And humans are prone to human error. They rarely use apps in quite the way developers intend. They may fail to install updates, give their password to third parties, leave their phone at a restaurant, download an app across an insecure network, and more. It’s not possible to eliminate all risk from the world of app development.

Users will make mistakes. The goal of good development, however, is to reduce the likelihood of costly mistakes and to quickly fix those that you identify.

Some strategies that can protect against user error include:

  • Not saving passwords and other important data.
  • Allowing users to log into their account to wipe or change their sensitive data. This prevents dangerous breaches when a device is physically compromised.
  • Educating users about best security practices. When a user downloads your app, consider displaying a screen telling them when and how you’ll contact them. This can protect against phishing attacks. Consider also giving a list of 4-5 app security pointers. It’s true that most users will just scroll right through. But some will read. Not only will your advice help users more intelligently use your apps. Your tips can also raise your credibility in the eyes of app consumers. That’s good for your brand.
  • Forcing users to install security patches. Many consumers don’t want to do this. It’s time consuming and may delay their use of another app. So make installation mandatory - or bundle a much-coveted new app feature with the security update to incentivize installation. Another strategy is to ensure that your updates do only what they say they will. Users hate surprise interface and other changes. If they’ve been burned once with such a change, they may be reluctant to install future updates.

Feeling Overwhelmed? There’s Help

It’s easy to feel overwhelmed by the seemingly endless stream of threats directed at apps, their users, and the businesses who develop them. Particularly for small businesses, it can be nearly impossible to stay on top of emerging threats and patch them in time.

That’s where AppSolid comes in. If you’re feeling overwhelmed, that’s not necessarily a bad thing. The threat is real. You should take it seriously. Knowing that your business is a potential target is the first step on the path to keeping your company safe.

AppSolid specializes in partnering with companies that know they need to do something, but that lack either the time or technical expertise to implement effective strategies. With affordable rates and industry leading protection, we’re confident we can protect your app and your consumers. Give us a call or send us an email today!

Get Secure & Stay Secure: The Unconventional Guide to Mobile Application Security

Topics: APK

Written by AppSolid Team