Blog Infos
Author
Published
Topics
Published

Security and privacy are the two most talked about topics these days. Like any piece of code, Android apps can also be targeted and your user’s data can be put at risk then of course there is always a risk of your app being reverse engineered. So, how can you as an Android developer prevent your app from being reverse engineered and secure your user’s data on the client-side? Well, that’s exactly what we will find out today.

Tamper Detection

The most secure way to detect if your app has been altered is by making sure the signature used to sign the app is the same one used by you. You can do this by using a simple small library I wrote a while back. It’s super easy to integrate.

 

 

In most cases, the only way to get access to your app would be through PlayStore. Which mean we could just check the installation source and block the app from functioning if the app is not installed via PlayStore. This again can be done with the library I have shared above. For instance if you want to detect if a debugger has been attached to your app you can do something like:

guardDebugger({
//No debugger tools detected continue executing the code.
}, {
//Some debugger tools were detected.
})
view raw guardDebugger hosted with ❤ by GitHub

To verify whether your app is downloaded from the right source you can do this:

this.verifyInstaller(Installer.GOOGLE_PLAY_STORE)?.let {
if (it) {
// App is installed from Google Play
} else {
// App is not installed from Google Play
}
}
view raw verifyinstaller hosted with ❤ by GitHub

Lastly to verify if your app has been modded or not you can check the signature of your app like this:

if (this.validateSignature("INSERT YOUR RELEASE SIGNATURE HERE") == Result.VALID) {
// Signature is valid continue using the app
} else {
// Signature is invalid likely a modded version of the app
}
view raw verifySignature hosted with ❤ by GitHub
SafetyNet

SafetyNet from Google is a tool that helps developers by detecting if the app is running on a rooted device and checking if the user is trying to modify critical files created by your app to intercept critical information. The integration of SafetyNet and how to use it is a long topic that could be a post in itself which I might publish later sometime.

ProGuard

Always make sure you have enabled ProGuard on your apps. ProGuard obfuscates your code making it difficult for hackers trying to break your app. You can do this by simply enabling the following options in your app/build.gradlefile.

android {
buildTypes {
release {
// Enables code shrinking, obfuscation, and optimization for only
// your project's release build type.
minifyEnabled true
// Enables resource shrinking, which is performed by the
// Android Gradle plugin.
shrinkResources true
// Includes the default ProGuard rules files that are packaged with
// the Android Gradle plugin. To learn more, go to the section about
// R8 configuration files.
proguardFiles getDefaultProguardFile(
'proguard-android-optimize.txt'),
'proguard-rules.pro'
}
}
}
view raw build.gradle hosted with ❤ by GitHub

Job Offers

Job Offers


    Android Team Lead

    Komoot
    Remote EMEA
    • Full Time
    apply now

    Developer Relations Engineer

    Embrace
    United States
    • Full Time
    apply now

    Information Security Engineer

    MongoDB
    London, UK
    • Full Time
    apply now

OUR VIDEO RECOMMENDATION

,

Monetizing your Flutter App

How can you smartly integrate advertising and in-app purchases to monetize your Flutter app? Using the popular word game 4 Pics 1 Word as an example, we will explore the basic procedure and best practices…
Watch Video

Monetizing your Flutter App

Petra Langenbacher & Joachim Böhmer
Software Developer
Lotum

Monetizing your Flutter App

Petra Langenbacher ...
Software Developer
Lotum

Monetizing your Flutter App

Petra Langenbach ...
Software Developer
Lotum

Jobs

The only thing you need to be careful about is the rules you mention in the proguard-rules.pro file.

Securing User Credentials.

DO NOT I repeat DO NOT ever store sensitive information on the client-side. Always use something like DataStore to securely store information on the client end. Never store Username/Passwords on the client device. API Keys, AccessTokens and other sensitive information should never be stored in their raw values. Always encrypt the information. Yes, it would make it a tiny bit slow but makes your user details so much more secure.

Database Encryption

Lastly, a lot of folks just skip encrypting the data stored in the database because they feel it’s too much hassle. It’s not. Most databases nowadays provide ways to encrypt the data in the database without having to worry about encrypting and decrypting the data. SQLCipher an SQLite Extension which offers AES256 encryption has gained a lot of attraction. Realm has its encryption system in place as well.

PS.

There is no full-proof secure way to protect your apps from being hacked. If the hacker is persistent they will find some way to break your app. These are just a few tips to make it difficult for hackers. Also if you have some more methods please feel free to drop a comment or reach out to me on LinkedIn or Twitter.

This article was originally published on proandroiddev.com on March 28, 2022

YOU MAY BE INTERESTED IN

YOU MAY BE INTERESTED IN

blog
👋 Hi and welcome to the third post in this series where we deep-dive…
READ MORE
blog
👋 Hi and welcome to the second post in this series where we deep-dive…
READ MORE
blog
👋 Hi and welcome to a new series of blog posts in which we…
READ MORE
blog
👋 Hi and welcome to the fourth post in this series where we deep-dive…
READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu