Safe to Run
The purpose of this library is to provide a simple and extensible framework you can use in order to check your app is safe to run, and provide you with a way to verify data from intents or deep links is safe.
What is safe to run?
Check out our website for more information on safe to run
Safe to run plus?
Safe to run plus adds to the Safe to run security platform by providing developers and security teams an online portal for application security monitoring. This tool offers security analytics, allowing you to uncover and address Safe to run verify and resilience failures.
Documentation
Quickstart
implementation "com.safetorun:safetorun:$safeToRunVersion"
implementation "com.safetorun:inputverification:$safeToRunVersion"
Safe to run input verification
A fuller discussion can be found here:
Urls
Here's a sample which will only allow safetorun.com as the host, and only allowed the parameterName with the name "param" of type string.
"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowParameter {
allowedType = AllowedType.String
parameterName = "param"
}
} == true
We are able to provide more permissive options, for example:
"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowAnyParameter()
} == true
Files
Allow specific private file
We can use safe to run for files too:
Allowing a specific file
val isFileSafeToOpen = uri.verifyFile(this) {
// This
File(context.filesDir + "files/", "safe_to_read.txt").allowExactFile()
// Is the same as this:
addAllowedExactFile(File(context.filesDir + "files/", "safe_to_read.txt"))
}
or maybe adding a directory
val isFileSafeToOpen = uri.verifyFile(this) {
// This
addAllowedParentDirectory(context.filesDir.allowDirectory())
// Is the same as this:
FileUriMatcherBuilder.FileUriMatcherCheck(
context.filesDir,
false
)
}
See docs for full information, and "app" for an example
Recompilation protection
Safe to run uses inline functions as an added level of protection against reverse engineering. It is recommended that you use the inline implementation in many places throughout the application in order to harden against reverse engineering.
private inline fun canIRun(actionOnFailure: () -> Unit) {
if (safeToRun(buildSafeToRunCheckList {
add {
banAvdEmulatorCheck()
}
add {
blacklistedAppCheck()
}
add {
rootDetectionCheck()
}
add {
banGenymotionEmulatorCheck()
}
add {
banBluestacksEmulatorCheck()
}
add {
safeToRunCombinedCheck(
listOf(
{ bannedHardwareCheck("hardware") },
{ bannedBoardCheck("board") }
)
)
}
add {
safeToRunCombinedCheck(
listOf { installOriginCheckWithDefaultsCheck() },
listOf { !BuildConfig.DEBUG }
)
}
add {
verifySignatureCheck("Abc")
}
})()) {
actionOnFailure()
}
}