Android App Security While Communicating with Server

1) Use SSL/TLS

• Confidentiality (Certificate Pinning)
• Authentication (Auth Token)

2) Validation

• Host-name Verification (Check that certificate is associated with your host name, your server)
• Certificate Pinning (Only allow particular Certificate which is associated with your server)
• Check Request Sequence from client

Certificate Pinning - Consider your app sever is signed with trusted public key certificate and your application knows the exact certificate it should be given; this is called "certificate pinning". It works with the certificate signed by Certificate Authorities (CAs) and Self Signed Certificate. App will store only your app server provided certificate all other certificate are avoided by app. TrustManager is use for storing the Certificate. A TrustManager is what the system uses to validate certificates from the server and—by creating one from a KeyStore. Now nobody else can listen to the conversation between App and Server. Before storing the Certificate host-name must be verified by HostNameVerifier.

// Create an HostnameVerifier that hardwires the expected hostname.
// Note that is different than the URL's hostname:
// example.com versus example.org
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        HostnameVerifier hv =
            HttpsURLConnection.getDefaultHostnameVerifier();
        return hv.verify("example.com", session);
    }
};

Now, you have confidentiality. You need authenticity;  So, once the channel is open, the next thing you expect is an authentication request containing user credentials from the app. Your server should reject any other request coming from the client app because the session has not been authenticated. Once the user credentials are validated the server will generate the "authentication token" for that session and send that token to App in response. Now "authentication token" will be required as part of any request from the App. During this session, it will only be accepted on this particular channel, and only as long as this unique session is open.

Once all this is set up, any service call that was made over that session's secure channel that includes the correct authentication token can be trusted. You should probably include one more thing, which is a measure to guard against replay attacks. Ensure that your system only deals with a unique message one time no matter how many times it's sent, each message should include unique sequence number. Ignore any message whose sequence number isn't the next one.

Close the session on the server after user logout from the app and if the app is dealing with users sensitive data like transaction than server code should set session-time-out and response should ask user to re-login using credentials and server will generate new token for the new session after deleting old token.