https://kotlinlang.org logo
f

FunkyMuse

07/11/2021, 2:35 PM
Hi everyone Today I've published an article about how you can protect your Android app from being tampered. You can check it out at https://funkymuse.dev/posts/android_anti_tampering/
😶 3
c

CLOVIS

07/11/2021, 7:20 PM
It's not the first time I read articles like this. Really though, what is the big deal with the app being readable? If you have proper server-side validation, there shouldn't be any issues. Why are you so worried?
e

ephemient

07/11/2021, 8:21 PM
client-side is untrustworthy, period. safetynet attestation is potentially useful as it can make use of hardware-backed cryptography, however everything can be bypassed without server-side validation
c

CLOVIS

07/11/2021, 10:14 PM
I'm not convinced it's a good idea at all. If someone tries to attack your app, that's on the server to detect, the client is at their control. And I really don't like the sound of companies purposefully making it harder for me to see what's going on on a device that I paid for.
e

ephemient

07/12/2021, 1:29 AM
safetynet does say that you should only use it as one of the inputs to performing validation on your backend, it is not recommended to try to do anything with the attestation result on the client
and I tend to agree. r8/proguard is useful as an optimization/minimization step, but obfuscation will not stop anybody even slightly determined
all other client-side tricks can be defeated - a rooted device can fake everything, including certificate pinning, software and hardware identifiers and signatures, etc.
even hardware-based attestation isn't 100% - there's legitimate users who can't use it, and an attacker can simply pay for access an arbitrary number of devices that do pass it
which is why safetynet is, at best, simply one input into a larger system. for example, perhaps you might use it as a signal when looking for patterns of user-generated spam content
5 Views