Blog Infos
Author
Published
Topics
Published

Security and privacy are the two most talked about topics these days. Like any piece of code, Android apps can also be targeted and your user’s data can be put at risk then of course there is always a risk of your app being reverse engineered. So, how can you as an Android developer prevent your app from being reverse engineered and secure your user’s data on the client-side? Well, that’s exactly what we will find out today.

Tamper Detection

The most secure way to detect if your app has been altered is by making sure the signature used to sign the app is the same one used by you. You can do this by using a simple small library I wrote a while back. It’s super easy to integrate.

 

 

In most cases, the only way to get access to your app would be through PlayStore. Which mean we could just check the installation source and block the app from functioning if the app is not installed via PlayStore. This again can be done with the library I have shared above. For instance if you want to detect if a debugger has been attached to your app you can do something like:

guardDebugger({
//No debugger tools detected continue executing the code.
}, {
//Some debugger tools were detected.
})
view raw guardDebugger hosted with ❤ by GitHub

To verify whether your app is downloaded from the right source you can do this:

this.verifyInstaller(Installer.GOOGLE_PLAY_STORE)?.let {
if (it) {
// App is installed from Google Play
} else {
// App is not installed from Google Play
}
}
view raw verifyinstaller hosted with ❤ by GitHub

Lastly to verify if your app has been modded or not you can check the signature of your app like this:

if (this.validateSignature("INSERT YOUR RELEASE SIGNATURE HERE") == Result.VALID) {
// Signature is valid continue using the app
} else {
// Signature is invalid likely a modded version of the app
}
view raw verifySignature hosted with ❤ by GitHub
SafetyNet

SafetyNet from Google is a tool that helps developers by detecting if the app is running on a rooted device and checking if the user is trying to modify critical files created by your app to intercept critical information. The integration of SafetyNet and how to use it is a long topic that could be a post in itself which I might publish later sometime.

ProGuard

Always make sure you have enabled ProGuard on your apps. ProGuard obfuscates your code making it difficult for hackers trying to break your app. You can do this by simply enabling the following options in your app/build.gradlefile.

android {
buildTypes {
release {
// Enables code shrinking, obfuscation, and optimization for only
// your project's release build type.
minifyEnabled true
// Enables resource shrinking, which is performed by the
// Android Gradle plugin.
shrinkResources true
// Includes the default ProGuard rules files that are packaged with
// the Android Gradle plugin. To learn more, go to the section about
// R8 configuration files.
proguardFiles getDefaultProguardFile(
'proguard-android-optimize.txt'),
'proguard-rules.pro'
}
}
}
view raw build.gradle hosted with ❤ by GitHub

Job Offers

Job Offers


    Reverse Engineer-Andriod

    Sauce Labs
    Anywhere
    • Full Time
    apply now

    Lead Android Engineer

    ASOS
    London
    • Full Time
    apply now

    Android Engineer

    Compare the Market
    London
    • Full Time
    apply now
Load more listings

OUR VIDEO RECOMMENDATION

, ,

The Evolution of Android Graphics in Android 12/13

Android 12 and 13 both added significant new capabilities to Android platform graphics, including RenderEffect, RuntimeShader, and more. At the same time, RenderScript has been deprecated and we’ve introduced the RenderScript Intrinsics Replacement Toolkit. This…
Watch Video

The Evolution of Android Graphics in Android 12/13

Daniel Galpin
Android Developer Advocate and Fast Talking YouTuber
Google

The Evolution of Android Graphics in Android 12/13

Daniel Galpin
Android Developer Ad ...
Google

The Evolution of Android Graphics in Android 12/13

Daniel Galpin
Android Developer Advocat ...
Google

Jobs

The only thing you need to be careful about is the rules you mention in the proguard-rules.pro file.

Securing User Credentials.

DO NOT I repeat DO NOT ever store sensitive information on the client-side. Always use something like DataStore to securely store information on the client end. Never store Username/Passwords on the client device. API Keys, AccessTokens and other sensitive information should never be stored in their raw values. Always encrypt the information. Yes, it would make it a tiny bit slow but makes your user details so much more secure.

Database Encryption

Lastly, a lot of folks just skip encrypting the data stored in the database because they feel it’s too much hassle. It’s not. Most databases nowadays provide ways to encrypt the data in the database without having to worry about encrypting and decrypting the data. SQLCipher an SQLite Extension which offers AES256 encryption has gained a lot of attraction. Realm has its encryption system in place as well.

PS.

There is no full-proof secure way to protect your apps from being hacked. If the hacker is persistent they will find some way to break your app. These are just a few tips to make it difficult for hackers. Also if you have some more methods please feel free to drop a comment or reach out to me on LinkedIn or Twitter.

This article was originally published on proandroiddev.com on March 28, 2022

YOU MAY BE INTERESTED IN

YOU MAY BE INTERESTED IN

blog
👋 Hi and welcome to the second post in this series where we deep-dive…
READ MORE
blog
👋 Hi and welcome to a new series of blog posts in which we…
READ MORE
blog
When I first released my open-source certificate transparency library for Android and the JVM,…
READ MORE

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

Menu