Security and privacy are the two most talked about topics these days. Like any piece of code, Android apps can also be targeted and your user’s data can be put at risk then of course there is always a risk of your app being reverse engineered. So, how can you as an Android developer prevent your app from being reverse engineered and secure your user’s data on the client-side? Well, that’s exactly what we will find out today.
Tamper Detection
The most secure way to detect if your app has been altered is by making sure the signature used to sign the app is the same one used by you. You can do this by using a simple small library I wrote a while back. It’s super easy to integrate.
In most cases, the only way to get access to your app would be through PlayStore. Which mean we could just check the installation source and block the app from functioning if the app is not installed via PlayStore. This again can be done with the library I have shared above. For instance if you want to detect if a debugger has been attached to your app you can do something like:
| guardDebugger({ | |
| //No debugger tools detected continue executing the code. | |
| }, { | |
| //Some debugger tools were detected. | |
| }) |
To verify whether your app is downloaded from the right source you can do this:
| this.verifyInstaller(Installer.GOOGLE_PLAY_STORE)?.let { | |
| if (it) { | |
| // App is installed from Google Play | |
| } else { | |
| // App is not installed from Google Play | |
| } | |
| } |
Lastly to verify if your app has been modded or not you can check the signature of your app like this:
| if (this.validateSignature("INSERT YOUR RELEASE SIGNATURE HERE") == Result.VALID) { | |
| // Signature is valid continue using the app | |
| } else { | |
| // Signature is invalid likely a modded version of the app | |
| } |
SafetyNet
SafetyNet from Google is a tool that helps developers by detecting if the app is running on a rooted device and checking if the user is trying to modify critical files created by your app to intercept critical information. The integration of SafetyNet and how to use it is a long topic that could be a post in itself which I might publish later sometime.
ProGuard
Always make sure you have enabled ProGuard on your apps. ProGuard obfuscates your code making it difficult for hackers trying to break your app. You can do this by simply enabling the following options in your app/build.gradlefile.
| android { | |
| buildTypes { | |
| release { | |
| // Enables code shrinking, obfuscation, and optimization for only | |
| // your project's release build type. | |
| minifyEnabled true | |
| // Enables resource shrinking, which is performed by the | |
| // Android Gradle plugin. | |
| shrinkResources true | |
| // Includes the default ProGuard rules files that are packaged with | |
| // the Android Gradle plugin. To learn more, go to the section about | |
| // R8 configuration files. | |
| proguardFiles getDefaultProguardFile( | |
| 'proguard-android-optimize.txt'), | |
| 'proguard-rules.pro' | |
| } | |
| } | |
| } |
OUR VIDEO RECOMMENDATION
Jobs
The only thing you need to be careful about is the rules you mention in the proguard-rules.pro file.
Securing User Credentials.
DO NOT I repeat DO NOT ever store sensitive information on the client-side. Always use something like DataStore to securely store information on the client end. Never store Username/Passwords on the client device. API Keys, AccessTokens and other sensitive information should never be stored in their raw values. Always encrypt the information. Yes, it would make it a tiny bit slow but makes your user details so much more secure.
Database Encryption
Lastly, a lot of folks just skip encrypting the data stored in the database because they feel it’s too much hassle. It’s not. Most databases nowadays provide ways to encrypt the data in the database without having to worry about encrypting and decrypting the data. SQLCipher an SQLite Extension which offers AES256 encryption has gained a lot of attraction. Realm has its encryption system in place as well.
PS.
There is no full-proof secure way to protect your apps from being hacked. If the hacker is persistent they will find some way to break your app. These are just a few tips to make it difficult for hackers. Also if you have some more methods please feel free to drop a comment or reach out to me on LinkedIn or Twitter.
This article was originally published on proandroiddev.com on March 28, 2022
