Skip to content

tepikin/AndroidTamperingProtection

Repository files navigation

AndroidTamperingProtection

Protect you android app from tampering.

This Library check is application tampered or not.

TamperingProtection check:

  1. CRC code of classes.dex - protection from code modification.
  2. application signature - protection from resign you app.
  3. installer store - app must be inbstalled only from store (not by hand).
  4. package name - sometimes malefactor change package name and sells your application as its.
  5. debug mode - production version of app mustn't run in debug mode.
  6. run on emulator - user mustn't run app on emulator.

You can choose not all of this protection types. Most usefull is "application signature" and "package name".

How get Signature code:
Use method TamperingProtection.getSignatures(context). This method return fingerprint of current signature.
If app signed by debug keystore then method return debug fingerprint (if signed by release keystore then return release fingerprint).
Also you can get signature by command line on PC. For get MD5 fingerprint from command line use:
keytool -list -v -keystore <YOU_PATH_TO_KEYSTORE> -alias <YOU_ALIAS> -storepass <YOU_STOREPASS> -keypass <YOU_KEYPASS>
For get MD5 fingerprint for debug keystore:
keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android
Use only MD5 fingerprint. They looks like: "CC:0C:FB:83:8C:88:A9:66:BB:0D:C9:C8:EB:A6:4F:32".

How get CRC code:
Use method `TamperingProtection.getDexCRC(context)` for get CRC code of classes.dex.
Note: don't keep CRC codes hardcoded in java classes! Keep it in resources (strings.xml), or in JNI code, or WebServer.
CRC code of .dex modified each time when you modify java code.

How to use

Simple usage:

TamperingProtection protection = new TamperingProtection(context);
protection.setAcceptedPackageNames("ru.lazard.sample"); // your package name
protection.setAcceptedSignatures("CC:0C:FB:83:8C:88:A9:66:BB:0D:C9:C8:EB:A6:4F:32"); // MD5 fingerprint

protection.validateAll();// <- bool is valid or tampered.

Max protection varian:

// Keep dexCrc in resources (strings.xml) or in JNI code. Don't hardcode it in java classes, because it's changes checksum.
long dexCrc = Long.parseLong(this.getResources().getString(R.string.dexCrc)); 

TamperingProtection protection = new TamperingProtection(context);
protection.setAcceptedDexCrcs(dexCrc);
protection.setAcceptedStores(TamperingProtection.GOOGLE_PLAY_STORE_PACKAGE); // apps installed only from google play
protection.setAcceptedPackageNames("ru.lazard.sample.Lite_Version","ru.lazard.sample.Pro_Version"); // lite and pro package names
protection.setAcceptedSignatures("CC:0C:FB:83:8C:88:A9:66:BB:0D:C9:C8:EB:A6:4F:32"); // only release md5 fingerprint
protection.setAcceptStartOnEmulator(false); // not allowed for emulators
protection.setAcceptStartInDebugMode(false); // not allowed run in debug mode

protection.validateAllOrThrowException(); // detailed fail information in Exception.

How to install (Gradle)

To get a Git project into your build:

Step 1. Add the JitPack repository to your build file <br > Add it in your root build.gradle at the end of repositories:

allprojects {
	repositories {
		...
		maven { url "https://jitpack.io" }
	}
}

Step 2. Add the dependency

dependencies {
    compile 'com.github.tepikin:AndroidTamperingProtection:0.11'
}

PS or just copy file TamperingProtection.java to you project. :)

About

Protect you android app from tampering.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages