Strengthening Android Security: Mitigating Banking Trojan Threats

Ialle Teixeira
7 min readJun 26, 2023

In today’s digital age, mobile devices have become integral to our daily lives, including financial transactions. However, this increased reliance on smartphones for banking and financial activities has also attracted the attention of cybercriminals, particularly those behind banking trojans. These malicious apps aim to steal sensitive information, compromise accounts, and carry out fraudulent transactions. To combat this growing threat, it is crucial to implement robust security measures on Android devices. In this article, we delve into the importance of mitigating banking trojan threats and explore practical steps to enhance Android security.

🔥Today, we are going to talk about: Restrict interactions with other apps apps

Acording to Android Developers reference, permissions aren’t only for requesting system functionality. You can also restrict how other apps can interact with your app’s components.

Note: When restricting interactions to only apps provided by one developer
such as to secure interprocess communications, we recommend using custom
signature permissions.

Restrict interactions with your app’s activities

Using the android:permission attribute in the <activity> tag of the Android manifest file can indeed help protect against certain types of attacks, including those by banking trojans. By specifying a permission for an activity, you can restrict which apps are allowed to start that particular activity.

When you set the android:permission attribute for an activity, it means that only apps that have been granted the specified permission will be able to start that activity. If an app without the required permission attempts to start the activity, a SecurityException will occur, preventing unauthorized access.

This can be beneficial in the case of banking trojans because these malicious apps often try to interact with legitimate banking apps by launching their activities to perform fraudulent transactions. By setting the appropriate permission on the banking app’s activities, you can prevent unauthorized apps, including banking trojans, from starting those activities.

Here’s an example of how you can use the android:permission attribute in the manifest file:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.mybankapp">

<application>
<activity
android:name=".MainActivity"
android:permission="com.example.mybankapp.PERMISSION_START_ACTIVITY">
<!-- Other activity configuration -->
</activity>

<!-- Other app components -->
</application>

<!-- Permissions -->
<permission
android:name="com.example.mybankapp.PERMISSION_START_ACTIVITY"
android:protectionLevel="signature" />
</manifest>

Restrict interactions with your app’s services

Yes, using the android:permission attribute in the <service> tag of the Android manifest file can also help protect against banking trojans and other malicious apps. By specifying a permission for a service, you can restrict which apps are allowed to start or bind to that particular service.

When you set the android:permission attribute for a service, it means that only apps that have been granted the specified permission will be able to start or bind to that service. If an app without the required permission attempts to start, stop, or bind to the service, a SecurityException will occur, preventing unauthorized access.

This can be beneficial in the case of banking trojans because they often try to interact with legitimate banking services to perform malicious actions. By setting the appropriate permission on the banking service, you can prevent unauthorized apps, including banking trojans, from starting or binding to that service.

Here’s an example of how you can use the android:permission attribute in the manifest file:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.mybankapp">

<application>
<service
android:name=".MyBankService"
android:permission="com.example.mybankapp.PERMISSION_USE_SERVICE">
<!-- Other service configuration -->
</service>

<!-- Other app components -->
</application>

<!-- Permissions -->
<permission
android:name="com.example.mybankapp.PERMISSION_USE_SERVICE"
android:protectionLevel="signature" />
</manifest>

Restrict interactions with your app’s content providers

Use the android:permission attribute to the <provider> tag to restrict which other apps can access the data in a ContentProvider. (Content providers have an important additional security facility available to them called URI permissions, which is described in the following section.) utilizing the android:permission attribute in the <provider> tag of the Android manifest file can help protect against banking trojans and other malicious apps by restricting access to the data in a ContentProvider. By setting read and write permissions on a ContentProvider, you can control which apps are allowed to read from and write to the provider, respectively.

When you set the android:readPermission attribute for a ContentProvider, it means that only apps that have been granted the specified permission will be able to read data from that provider. Similarly, when you set the android:writePermission attribute, only apps with the specified permission can write data to the provider.

Here’s an example of how you can use these attributes in the manifest file:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.mybankapp">

<application>
<provider
android:name=".MyBankContentProvider"
android:readPermission="com.example.mybankapp.PERMISSION_READ_PROVIDER"
android:writePermission="com.example.mybankapp.PERMISSION_WRITE_PROVIDER">
<!-- Other provider configuration -->
</provider>

<!-- Other app components -->
</application>

<!-- Permissions -->
<permission
android:name="com.example.mybankapp.PERMISSION_READ_PROVIDER"
android:protectionLevel="signature" />

<permission
android:name="com.example.mybankapp.PERMISSION_WRITE_PROVIDER"
android:protectionLevel="signature" />
</manifest>

In this example, the MyBankContentProvider provider requires both com.example.mybankapp.PERMISSION_READ_PROVIDER and com.example.mybankapp.PERMISSION_WRITE_PROVIDER permissions. Only apps that have been signed with the same certificate as the banking app (i.e., apps signed by the same developer) and granted these permissions will be able to read from and write to the MyBankContentProvider.

By implementing these permissions on your ContentProvider, you can ensure that only authorized apps, including your banking app, can access and manipulate the sensitive data stored in the provider. This helps protect against unauthorized access by banking trojans or other malicious apps.

However, it’s important to note that while setting permissions on a ContentProvider adds an additional layer of security, it should not be the sole defense against banking trojans. It should be used in conjunction with other security measures, such as app permissions, secure app installation, updates, and device security settings, to create a comprehensive security approach.

Restrict interactions with your app’s broadcast receivers

Use the android:permission attribute to the <receiver> tag to restrict which other apps can send broadcasts to the associated BroadcastReceiver. The permission is checked after Context.sendBroadcast() returns, as the system tries to deliver the submitted broadcast to the given receiver. This means that a permission failure doesn't result in an exception being thrown back to the caller—it just doesn't deliver the Intent.

Using the android:permission attribute in the <receiver> tag of the Android manifest file can help protect against banking trojans and other malicious apps by restricting which apps can send broadcasts to the associated BroadcastReceiver. By specifying a permission, you can control access to the receiver and ensure that only apps with the specified permission can send broadcasts that will be delivered to the receiver.

When you set the android:permission attribute for a BroadcastReceiver, it means that only apps that have been granted the specified permission will be able to send broadcasts to that receiver. If an app without the required permission attempts to send a broadcast, the broadcast will not be delivered to the receiver associated with the permission-protected <receiver> tag.

Here’s an example of how you can use the android:permission attribute in the manifest file:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.mybankapp">

<application>
<receiver
android:name=".MyBroadcastReceiver"
android:permission="com.example.mybankapp.PERMISSION_SEND_BROADCAST">
<!-- Other receiver configuration -->
</receiver>

<!-- Other app components -->
</application>

<!-- Permission -->
<permission
android:name="com.example.mybankapp.PERMISSION_SEND_BROADCAST"
android:protectionLevel="signature" />
</manifest>

By implementing this permission on your BroadcastReceiver, you can control access to the receiver and prevent unauthorized apps, including banking trojans, from sending broadcasts that could potentially be intercepted or misused.

Note that both a receiver and a broadcaster can require a permission. When this happens, both permission checks must pass for the intent to be delivered to the associated target, however it’s important to note that while using the android:permission attribute adds an additional layer of security, it should not be solely relied upon to protect against banking trojans. It should be used in conjunction with other security measures, such as app permissions, secure app installation, updates, and device security settings, to create a comprehensive security approach.

TL;DR

  1. Restricting Activity Access:
  • Use the android:permission attribute in the <activity> tag to restrict which apps can start that activity.
  • By setting a permission, unauthorized apps, including banking trojans, will be prevented from starting the activity.

2. Protecting Services:

  • Set the android:permission attribute in the <service> tag to control which apps can start or bind to the associated service.
  • This helps prevent unauthorized apps, including banking trojans, from accessing or interacting with sensitive service functionalities.

3. Securing Content Providers:

  • Utilize the android:readPermission and android:writePermission attributes in the <provider> tag to limit access to a ContentProvider.
  • By setting appropriate permissions, you can control which apps can read from or write to the provider, reducing the risk of unauthorized data access.

4. Managing Broadcast Receivers:

  • Use the android:permission attribute in the <receiver> tag to restrict which apps can send broadcasts to the associated BroadcastReceiver.
  • By setting a permission, you can control access to the receiver, ensuring only authorized apps can send broadcasts that will be delivered.

These security practices can contribute to mitigating the risk of banking trojans and other malicious apps by limiting access to sensitive components, data, and functionalities within an Android app. However, it’s important to combine these measures with other security practices, such as proper app permissions, secure app installation, updates, and device security settings, to establish a comprehensive defense against potential threats. That’s all!!!

Resource:
https://developer.android.com/training/permissions/restrict-interactions https://developer.android.com/guide

--

--