1

Our team is trying to secure a native Android mobile app.

Amongst other things we are using Dexguard for some checks such as tamper, root and emulator detection.

Long story short: some of these checks fail in our debug builds - mainly because we want to keep the build times short for developers - and we need some way to skip them [1].

The suggestion by official Dexguard support was to use something like this:

if(!BuildConfig.DEBUG){
    // do actual check if app has been tampered with
}

Now I'm worrying:

Doesn't such a conditional make the tampering checks very easy to circumvent for an attacker?

My fear is that if an attacker tries to tamper with the app, he can easily do so if he is also able to somehow make it think that it is a DEBUG build. Thus with little effort all the (expensive) Dexguard tamper checks are circumvented...

Are my concerns justified? Does including a conditional such as above make tampering the app easier for attackers?

[1]: The background here is: Dexguard makes builds take a looong time. Such as 50 seconds instead of 5 seconds for a simple unit test re-run. Because of this we disable Dexguard for our debug build, which in turn makes certain of the checks (such as tamper detection) fail, as they rely on the APK being processed by Dexguard.

Community
  • 1
fgysin
  • 715
  • 1
  • 9
  • 13

1 Answers1

3

As your sample code shows if the attacker uses a debug version he can easily bypass the security checks. Actually you need compiler directives to do that.

Using compiler directives the portion of codes marked as DEBUG never compile to final application and because of that you are safe using that method.

Xaqron
  • 306
  • 1
  • 10
  • Do you know of a way to achieve this in native Android development? I'd be interested in any resources. – fgysin Feb 04 '19 at 10:50
  • @fgysin: Check [this](https://stackoverflow.com/questions/4604283/automatic-defines-according-to-debug-release-config-in-visual-studio) question. – Xaqron Feb 05 '19 at 20:35
  • Yeah, thanks, but that is for C++... I'm looking for a way to achieve this natively in Android. I'm certainly not going through the hassle of NDK on Android just to avoid the above anti pattern. – fgysin Feb 06 '19 at 06:49
  • @fgysin What do you mean by native? Whatever language you use for writing the code, if it supports `compile directives` you can use it. – Xaqron Feb 06 '19 at 18:13