Base64 encoding schemes are commonly used when there is a need to encode binary data, especially when that data needs to be stored and transferred over media that are designed to deal with text. This encoding helps to ensure that the data remains intact without modification during transport. Java Base64 Encode and Decode. Java provides a class Base64 to deal with encryption. You can encrypt and decrypt your data by using provided methods. You need to import java.util.Base64 in your source file to use its methods. This class provides three different encoders and decoders to encrypt information at each level.
TL;DR
- Avoid using plaintext HTTP, use HTTPS instead.
- Network Security Configuration is a great and simple tool, do not hesitate to use it.
- Remember about Android fragmentation, take security measures to protect all supported APIs.
- For security-sensitive applications, use certificate pinning.
- Always follow best practices while developing mobile apps. Take a look at Guidelines on mobile application security – Android edition
About Networking
The vast majority of Android applications need to communicate with the backend. This is obviously a very important security requirement that such communication is properly protected. Otherwise, attackers can easily intercept the communication, which usually includes secrets like credentials or session identifiers. In both cases, a user account is compromised.
Having said that, during penetration tests I am still finding some applications which do not use TLS or do not properly verify server certificates, which results in the MITM attack.
Below, an example of intercepted credentials using monitor mode in Wireshark:
Disable HTTP, for your own peace of mind
Android 7+ supports Network Security Config (NSC), which is an ultimate tool to manage networking configuration. By default, for Android 9+ cleartext communication is disabled, but for older versions of Android developers need to explicitly disable insecure communication. First of all, NSC must be created, otherwise, default settings will be applied.
Typically, NSC is located under the below-mentioned path:
And also needs to be defined in the Android Manifest:
Now we can easily create global policies for applications – the great thing is that those policies will work for any library we use to establish HTTP/TLS connection.
The first one we should define is disabling HTTP connection and allowing only system CAs.
Android 8+ by default installs user certificates into separate userspace. If for some reason we want to also trust such certificates, we can add entry, although it is not recommended for security-sensitive applications.
In case you really badly need to use HTTP, you can override global configuration for a single domain, which can be done as follows:
Unfortunately, the above-mentioned technique won't work for API 23 and lower, but it is definitely worth implementing. As of August 2020, over 75% support NSC, according to Google's platform distribution dashboard.
HTTPS communication on Android
TLS protocol provides secure, encrypted communication. In most cases libraries for establishing HTTPS connection properly verify CAs validity. For instance, if you use the NSC or OkHTTP client you can rest assured that the certificate will be validated without programming any additional code. Despite the fact that default configuration, in this case, is always the best solution, sometimes developers get over-creative and produce completely insecure code.
During one of the penetration tests, I encountered a really impressive example of developer's creativity. Instead of using default TrustManager, developers initialized an empty TrustManager and then used it to establish TLS connection:
As a result, each certificate was accepted, so intercepting cleartext communication was almost as easy as without implementing TLS at all.
The lesson from this chapter is that when implementing TLS always go for mature solutions, for example:
URLConnection class
OkHTTP client
Certificate Pinning on Android devices
Certificate pinning is an additional mechanism, which prevents establishing a communication channel with an untrusted server. So far, we have only verified whether the server has a valid certificate, meaning that it is signed by a trusted CA. Nowadays, it is fairly easy to obtain a valid certificate, for instance by using Let's Encrypt (https://letsencrypt.org/). Another risk is that the attacker somehow manages to add his certificate into the Android Trust store. In such a case, the TLS connection also will be identified as secure.
Certificate Pinning is a technique that prevents the above-mentioned risk. It relies on 'pinning' certificate characteristics directly into the application source code. Then, during a TLS connection attempt, the application may check if the server presents the expected ('pinned') certificate. There are several variants of certificate pinning, it may verify the whole certificate or its public key. More info regarding certificate pinning can be found here: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
Android allows a really straightforward and effective way of implementing certificate pinning, which involves previously described Network Security Config. The implementation looks as follows:
The only pitfall here is that NSC is supported only by Android 7+, so if your target includes lower Android versions, then you need to implement pinning in a different way. I would strongly advise you to follow guidelines provided by the library you use for TLS. For instance, OkHTTP you should use CertificatePinner class:
Properly implemented certificate pinning will prevent from establishing a TLS session with a given domain, unless the certificate 'pin' matches the one predefined in the code.
Note that the certificate pinning mechanism works locally, on the device which cannot be considered as trusted. There are several ways of bypassing certificate pinning mechanism on rooted devices.
Nevertheless, I strongly encourage all the developers to implement this mechanism for their application and follow all the other good practices regarding secure communication.
Summary
Secure network communication is one of the most critical aspect of mobile application development. Fortunately, more and more developers are aware of that and the general level of security regarding networking is constantly rising. Another really positive thing is that Android introduced a very powerful and simple tool, which allows managing TLS connection, which is Network Security Config. Do not hesitate to use it! At the same time, remember that it is supported only from Android 7 onwards, so in case your target is below that threshold, you need to use different measures alongside NSC. Also, remember about certificate pinning if you are developing high-risk applications.
Last but not least, always remember to follow good practices in development of secure mobile applications. To make it easier, we had prepared a guide which gathers in one place the most significant challenges and recommendations:
sample source code to input valid data and generate 2D Data Matrix images in C# .NET
C# Data Matrix Introduction
Data Matrix, also known as Data Matrix ECC200, is great 2-dimensional matrix barcode to store different data up to 2,335 alphanumeric characters.
C# Data Matrix barcode is a mature, easy-to-use .NET barcode component, written in Visual C#. It is easy to integrate barcode component into C#.NET development environments, and allows developers to quickly and easily add barcode generation and recognition functionality to .NET applications using C# class.
This document provides a complete C# source code for encoding Data Matrix barcode images in C# class using C# Barcode generation .net SDK.
OnBarcode C# Barcode Generator is designed to generate, create Data Matrix and other linear & 2d barcodes in Microsoft Word. Here are some more tutorials for C# Data Matrix generation concerning size & image setting. Adobe photoshop lightroom classic cc 2018 v7.4 serial for mac os x.
How to generate, print barcode using .NET, Java sdk library control with example project source code free download:
Encode Data Matrix Valid Character in C#.NET
Data Matrix valid character set:
Base256 Encoding Android Text
Standard ASCII Characters: 0-127
Extended ASCII Characters: 128-255
Encode ASCII Character into Data Matrix Using C#.NET class
ASCII Mode encodes 3 types characters: double digit numerics, ASCII value 0-127 and Extended ASCII value 128-255.
DataMatrix barcode = new DataMatrix();
barcode.Data = '!@#$%^&*():' <>'{}';
barcode.DataMode = DataMatrixDataMode.ASCII;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Encode C40 Characters into Data Matrix Using C#.NET class
C40 Mode is designed to optimize the encoding of upper-case alphabetic and numeric characters.
DataMatrix barcode = new DataMatrix();
barcode.Data = 'Data Matrix';
barcode.DataMode = DataMatrixDataMode.C40;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Encode Text Characters into Data Matrix Using C#.NET class
Text Mode is designed to encode normal printed text, which are predominantly lowercase characters.
DataMatrix barcode = new DataMatrix();
barcode.Data = 'OnBarcode';
barcode.DataMode = DataMatrixDataMode.Text;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Encode X12 Characters into Data Matrix Using C#.NET class
It is used to encode the standard ANSI X12 electronic data interchange characters.
DataMatrix barcode = new DataMatrix();
barcode.Data = 'ONBARCODE';
barcode.DataMode = DataMatrixDataMode.X12;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Encode Edifact Characters into Data Matrix Using C#.NET class
Base 256 Encoding Android App
It is used to encode 63 ASCII values (values from 32 to 94) plus an Unlatch character (binary 011111).
DataMatrix barcode = new DataMatrix();
barcode.Data = '035ONBARCODE';
barcode.DataMode = DataMatrixDataMode.Edifact;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Encode Base256 Characters into Data Matrix Using C#.NET class
It is used to encode 8 bit values, all byte values 0-255 inclusive.
DataMatrix barcode = new DataMatrix();Modify Data Matrix Valid Length in C#.NET
barcode.Data = 'onbarcode';
barcode.DataMode = DataMatrixDataMode.Base256;
barcode.Format = ImageFormat.Png;
barcode.drawBarcode('c:/datamatrix.png');
Base 256 Encoding Android Download
Data Matrix is variable-length 2-dimensional barcodes. The storage capacity, see the table below:Data Type | Maximum Data Storage Capacity |
Alphanumeric Data | 2,335 characters |
8-Bit Byte Character | 1,555 characters |
Numeric Data | 3,116 characters |
Data Matrix barcode length can be specified by encoding different length of data, for example:
barcode.Data = '12'; // in 2-digit length
barcode.Data = 'DATA MATRIX'; // in 11-digit length
barcode.Data = 'ABCDEFGhijklmnopqrst'; // in 20-digit length