CPoC SDK
Reference
Security Best Practice

CPoC SDK is implemented with secure by design. There are a batch of security mechanisms applied on the SDK to protect from unauthorized access to service and sensitive data. As integrator, you should follow the best practise below to use our SDK to keep whole application in a secure state.

To ensure secure integration and usage of our SDK, follow these guidelines:

1. Secure SDK Integration

  • Obtain SDK from Official Sources Only

    Always obtain the SDK from trusted repositories (MineSec Authorized channel) or verified private repositories. Avoid unverified third-party sources.

  • Keep SDK Updated

    Regularly update to the latest SDK version to leverage security patches and bug fixes. Subscribe to our security advisory notifications.

  • Audit Dependencies

    Review the SDK’s third-party dependencies (use ./gradlew dependencies) to avoid libraries with known vulnerabilities.

2. Sensitive Data Handling

MineHades SDK handles sensitive data inside and wont export out sensitive data such as plaintext PIN. For integrator, when handling sensitive data in your application, please follow the suggestions below

  • Key & Credential Management

    Use Android Keystore or server-side mechanisms to store secrets. Never hardcode sensitive data.

  • Secure Local Storage

    • Use EncryptedSharedPreferences or EncryptedFile (Android Jetpack Security) for sensitive data.
    • Avoid storing credentials, tokens, or PII in plaintext (e.g., SharedPreferencesor SQLite).

  • Erase upon use

    • use ByteArray to handle the sensitive data and erase when it’s finished

3. Network Security

  • Enforce HTTPSConfigure network_security_config.xml:

    xml
<network-security-config>
  <domain-config cleartextTrafficPermitted="false">
    <domain includeSubdomains="true">your.api.domain</domain>
  </domain-config>
</network-security-config>

  • Certificate PinningImplement SSL pinning during SDK initialization to mitigate MITM attacks.

4. Least Privilege Principle

  • Minimize PermissionsDeclare only necessary permissions in AndroidManifest.xml:

    xml
<!-- Request location permission only if required -->
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

  • Runtime Permission Checks Request dangerous permissions (e.g., location, storage) at runtime and handle denials gracefully.

Key ManagementData Lifecycle