The key principles
In this section, we introduce you to methods of securing network connections. We will also cover authentication and authorisation, and the encryption of communications. We will conclude with a case study on how not to introduce serious security vulnerabilities with pre-installed software.
So far we have looked at securing data on an Android device itself, but for many apps that is not enough. To perform their designed function they need to connect to services over the internet, and these connections must also be secured.
There are three key principles that must be considered when thinking about securing network connections:
Make sure you are talking to who you think you are talking to.
Make sure no one else can hear what you are talking about.
If you do not 100% trust who you are talking to, always check anything they send you is safe.
The first requires authentication of the other party. Authentication is often required in both directions i.e. both parties must authenticate the other, but the mechanisms employed may be different in each direction. For example, using a web browser to securely access an online service typically involves the browser authenticating the server via the server’s certificate (i.e. an HTTPS connection), and the server authenticates the user by their username and password.
The second requires encryption of the data as it passes over the internet. In a typical web scenario this is also achieved through the use of HTTPS connections.
Finally, the third requires input validation. It is good practice to do this even if you completely trust the other party. Programming errors do occur, and it is sensible to trap any dangerous inputs even if they are not malicious.
© University of Southampton 2017