Expanded runtime-security release focused on deeper Android anti-tampering research, cross-view consistency checks, isolated-process comparison, and more detailed native telemetry.
Overview
This release improves SecurityRiskAndroid from a single-process native checker into a layered runtime-risk detector with multiple execution views:
- Main app process checks
- Native fast synchronous checks
- Native deep asynchronous checks
- Optional root-assisted diagnostic checks
- Isolated-process comparison through
SecurityIsolatedService
The goal is to make suspicious runtime behavior easier to observe, compare, and debug without relying on one root check or one detection string.
Notes
This project is still a research and educational sample.
The native checker should be treated as a runtime-risk signal generator, not as a perfect security boundary. Advanced root, Zygisk, LSPosed, Shamiko, Frida, or kernel-level tooling may still bypass local checks.
For production enforcement, local runtime signals should be combined with server-side verification such as device/app attestation, backend risk scoring, and account-level abuse detection.
Known Limitations
- Isolated-process comparison requires Java and Manifest wiring.
- Root-assisted checks may require user-granted
suaccess and should be treated as lab diagnostics. - Timing signals are noisy and should not be used as standalone block reasons.
/data/appvisibility differs across Android versions and OEMs.- ART/JIT memory behavior can vary by device and Android version.
- Local native checks are bypassable by sufficiently privileged attackers.