Our goal is to make Android the safest mobile platform in the world. That's why we consistently invest in technologies that bolster the security of the platform, its apps, and the global Android ecosystem.

It's a responsibility we share with you, as developers, to keep users safe and secure.

Security best practices

Learn about best practices for encryption, integrity, and the overall app security lifecycle.

Always encrypt data saved to shared storage. Where data is sensitive, encrypt it in the app’s private storage to make it less accessible if the device is stolen and gets compromised.

The Jetpack Security library (JetSec) provides a quick and easy way to encrypt your data. It makes full use of the Android Keystore and executes cryptographic operations in secure hardware.

Rooted or unlocked devices, or emulators may fail to protect user data and expose your app to attack. Use SafetyNet Attestation to determine if a device running your app has been tampered with. Based on the results from SafetyNet Attestation, consider acting to protect your app’s content.

Use the Biometric APIs, part of the Jetpack BiometricPrompt Library, to take advantage of a device’s biometric sensors when authenticating users in your app.

HTTPS and SSL provide secure protocols for transferring data between your app and servers. However, there are a number of common mistakes that developers make that can lead to insecure data transfer. Check that you’re not making any of these in your app.

The App Security Improvement program is a service that helps detect known security vulnerabilities in your app. This service automatically scans your app as it’s submitted to Google Play. If any vulnerabilities are discovered, you get alerts by email and in the Google Play Console, with links to details about how to improve your app.

You cannot eliminate the possibility of there being undetected vulnerabilities in your app. Security researchers commonly assess new and updated apps for security issues. By setting up a vulnerability disclosure program (VDP) you provide guidelines for these experts to disclose vulnerabilities to you. The guidelines should include policy, rules of engagement, scope, and safe harbor.

Security issues can creep into even the most carefully crafted app. One way to guard against unexpected errors or security issues is to have a comprehensive testing program throughout your development lifecycle.

Follow best practices for preparing and executing your tests, and take advantage of the services offered by Firebase Test Labs to automatically execute tests on a range of devices.

Your app may rely on third-party libraries for common use cases. However, third-party libraries can be a source of data leakage, especially those using external services, such as those for marketing and analytics.

Audit your third-party libraries to check that you are using the original code from its open source project. Also, check to see whether any libraries are unnecessary. Then remove any libraries you don’t need or where you cannot be sure of the source.

This step is important because third-party libraries can cause your app to be flagged as potentially harmful per the Malware or Mobile Unwanted Software policies.

For more information about best practices for security in Android apps, see App security best practices.


The Jetpack Security (JetSec) crypto library provides abstractions for encrypting Files and SharedPreferences objects.
This guide will teach you how to prepare, launch, and run a “Vulnerability Disclosure Program” (VDP).
With the launch of Android 10 (API level 29), developers can now use the Biometric API, part of the AndroidX Biometric Library, for all their on-device user authentication needs.