search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.64k stars 2.3k forks source link

Andriod 10 anti-tampering: run embedded uncompressed DEX directly #1506

Open commjoen opened 4 years ago

commjoen commented 4 years ago

You can now run dEX code directly as anti-tampering control (see https://developer.android.com/about/versions/10/features#embedded-dex). this should be part of the anti-reverse engineering techniques

cpholguera commented 4 years ago

On devices running Android 10 (API level 29) and higher you can tell the platform to run embedded DEX code directly from your app’s APK file. This option can help prevent an attack if an attacker ever managed to tamper with the locally compiled code on the device.

How's the scenario? What are we protecting exactly?

In any case (before and after this change), modifying the embedded DEX files will break the signature, so the new change does not make any difference for repackaged apps. Then we're talking about original apps and are already installed and running on a non-rooted device.

The attacker tampers with the locally compiled code...

Just trying to brainstorm a little bit to get concrete here.