Hi everyone Today I ve published an article about how you ca kotlinlang #android

Channels

fluid-libraries

jhipster-kotlin

effectivekotlin

effective-kotlin

android-architecture

algolialibraries

stayhungrystayfoolish

pattern-matching

kotlin-data-storage

skia-wasm-interop-temp

squarelibraries

beepiz-libraries

cscenter-course-2016

kotlin-foundation

compose-android

lambdaworld_cadiz

kotlin-pakistan

java-to-kotlin-refactoring

event21-community-content

fb-internal-demo

kotlinprogrammers

kotlinx-datetime

framework-elide

github-workflows-kt

library-development

arrow-contributors

spring-security

pocketgitclient

domain-driven-design

swiss-user-group

refactoring-to-kotlin

ohio-kotlin-users

introduce-yourself

kotlin-by-example

kotlin-multiplatform-contest

graviton-browser

tricity-kotlin-user-group

kotlin-in-action

android-databinding

kotlintest-devs

cincinnati-user-group

codemash-precompiler

kotlingforbeginners

prozis-android-backup

realworldkotlin

connect-audit-events

russian-kotlinasfirst

androidgithubprojects

intellij-tricks

machinelearningbawas

swagger-gradle-codegen

100daysofkotlin

competitive-programming

compose-ui-showcase

androidx-xprocessing

navigation-architecture-component

strife-discord-lib

embedded-kotlin

image-processing

myndocs-oauth2-server

leedskotlinusergroup

kotest-contributors

practical-functional-programming

kotlinultimatechallenge

k2-early-adopters

kotlinforbeginners

compose-desktop

competitivecoding

100daysofkotlin-2021

refreshversions

language-evolution

jvm-ir-backend-feedback

python-contributors

codingconventions

sofl-user-group

getting-started

language-proposals

intellij-plugins

Title

f

FunkyMuse

07/11/2021, 2:35 PM

Hi everyone Today I've published an article about how you can protect your Android app from being tampered. You can check it out at https://funkymuse.dev/posts/android_anti_tampering/

😶 3

c

CLOVIS

07/11/2021, 7:20 PM

It's not the first time I read articles like this. Really though, what is the big deal with the app being readable? If you have proper server-side validation, there shouldn't be any issues. Why are you so worried?

e

ephemient

07/11/2021, 8:21 PM

client-side is untrustworthy, period. safetynet attestation is potentially useful as it can make use of hardware-backed cryptography, however everything can be bypassed without server-side validation

c

CLOVIS

07/11/2021, 10:14 PM

I'm not convinced it's a good idea at all. If someone tries to attack your app, that's on the server to detect, the client is at their control. And I really don't like the sound of companies purposefully making it harder for me to see what's going on on a device that I paid for.

e

ephemient

07/12/2021, 1:29 AM

safetynet does say that you should only use it as one of the inputs to performing validation on your backend, it is not recommended to try to do anything with the attestation result on the client

and I tend to agree. r8/proguard is useful as an optimization/minimization step, but obfuscation will not stop anybody even slightly determined

all other client-side tricks can be defeated - a rooted device can fake everything, including certificate pinning, software and hardware identifiers and signatures, etc.

even hardware-based attestation isn't 100% - there's legitimate users who can't use it, and an attacker can simply pay for access an arbitrary number of devices that do pass it

which is why safetynet is, at best, simply one input into a larger system. for example, perhaps you might use it as a signal when looking for patterns of user-generated spam content

5 Views