0

I recently got a security issue for the app i'm working for: The possibility to run on rooted devices. I discovered that is hard to prevent this situation. My first try was to implement RootBeer. Sadly, there are tools like Magisk Manager which can trick your app to not recognize the device as rooted.

After some research, i found that SafetyNet has been finally "fixed" so the app can't be used through Magisk anymore. To do so, i need to send to my server a JWS token generated using a nonce (received from the server, as Google recommends).

All good by now - my main problem is that my app can be used offline. A solution for this would be to verify JWS token locally, but that will open vulnerabilities.

I need your help to understand what should i do in order to prevent the app to be opened on a rooted device, using SafetyNet (or other way), on both online & offline mode.

Thanks!

Alexandru Gabriel
  • 79
  • 5
  • When you say you want your app to work offline, you're essentially saying, without a backend right? Because Safetynet will not work offline anyways? – Codevalley Aug 21 '22 at 11:54

1 Answers1

2

I would suggest something more hybrid. You could use the RootBeer for offline usage and the SafetyNet for online. I have recently started to develop an Android SDK that detects device's security. It has some checks such as Root detection, Mock location, VPN network, App is running in a sandbox and more to come) that may be crucial for fraud use cases.

So if you need something more detailed in your detections in order to determinate if it's suspicious based on the use case you could give it a try.

Of course any feedback for improvement is welcome.

https://github.com/AppSafetyTech/safesdk-android

frontz
  • 101
  • 7
  • hei im interisting with your project but... 'SafeSdkManager()' has private access in 'tech.appsafety.safesdk.SafeSdkManager' implement from java project with Android Studio – Hallaz Feb 09 '22 at 11:07