Sensitive applications must include controls to mitigate these risks: Recent PCI Security Council guidelines and NIST controls are just two notable examples where rooted device detection and response obligations are explicitly assigned to development organizations. More generally, rooted access is synonomous with unauthorized privilege escalation and is, therefore, incorporated by reference in virtually every privacy obligation developers face, e.g. GDPR, HIPAA...
What’s new for Xamarin.Android developers?
New with Dotfuscator Professional 4.35.0 and Dotfuscator Community Edition (CE) 5.35.0, developers can, for the first time, inject rooted device detection and response controls into Xamarin.Android apps (injection means the logic is inserted post-compile – no coding required).
Detect that an app is running on a rooted device (offline or on a network)
Abort the initial session and permanently quarantine the app in future sessions
Report the incident to a central compliance service
Obfuscate the app to prevent analysis and tampering of the above controls
Automatically log the above implementation to demonstrate compliance for each build
The sample app highlighted in the article extends the TodoAzureAuth with the behaviors illustrated in figure 1.
Figure 1: Flow illustrating TodoAzureAuth rooted device response behavior after it has been injected with the Dotfuscator Control. Note that Root detection serves as an effective proxy for Android emulator detection as well.
Dotfuscator also obfuscates the TodoAzureAuth app to prevent hackers from
Identifing where and how the rooted device detection and response controls are implemented
Figure 2: Sample output from obfuscated version of TodoAzureAuth.
Reporting via Microsoft App Center Integration
The custom code injected by Dotfuscator connects each rooted device detection event with the app owner’s App Center account.
Figure 3: App Center integration
Automatically generated audit records
The following Build Output can be stored and used to demonstrate that specific controls were injected on any given release.
Figure 4: Auto-logging of Build Reports
Post-compile injection configured through Dotfuscator UI
All of these controls plus obfuscation are configured through the Dotfuscator UI. Once configured, Dotfuscator can be invoked automatically as part of a continuous build process ensuring that every version of every app is effectively secured.
Figure 5: Dotfuscator configuration options.
Closing thoughts (for the week of May 7th 2018 at least)
With the latest release of Dotfuscator, Xamarin.Android developers can rely upon the same application hardening and runtime detection and response controls that classic .NET developers have been able to rely upon for anti-tamper and anti-debugger detection and response - and Android developers rely upon using our DashO for Android solution.