Skip to content

Safetorun/safe_to_run

BranchesTags

Repository files navigation

Safe to Run

Known Vulnerabilities Codacy Badge Quality Gate Status Android Arsenal codecov Slack channel

Safe to run (android library) Maven central - SafeToRun

Core Maven central - Core

Input validation Maven central - Input validation

The purpose of this library is to provide a simple and extensible framework you can use in order to check your app is safe to run, and provide you with a way to verify data from intents or deep links is safe.

What is safe to run?

Check out our website for more information on safe to run

Visit the site

Documentation

Documentation website

Quickstart

implementation "com.safetorun:safetorun:$safeToRunVersion"
implementation "com.safetorun:inputverification:$safeToRunVersion"

Safe to run input verification

A fuller discussion can be found here:

Verify URL

Urls

Here's a sample which will only allow safetorun.com as the host, and only allowed the parameterName with the name "param" of type string.

"https://safetorun.com?param=abc".urlVerification {
    "safetorun.com".allowHost()
    allowParameter {
        allowedType = AllowedType.String
        parameterName = "param"
    }
} == true

We are able to provide more permissive options, for example:

"https://safetorun.com?param=abc".urlVerification {
    "safetorun.com".allowHost()
    allowAnyParameter()
} == true

Files

Allow specific private file

We can use safe to run for files too:

Allowing a specific file

val isFileSafeToOpen = uri.verifyFile(this) {
    // This
    File(context.filesDir + "files/", "safe_to_read.txt").allowExactFile()

    // Is the same as this:
    addAllowedExactFile(File(context.filesDir + "files/", "safe_to_read.txt"))
}

or maybe adding a directory

val isFileSafeToOpen = uri.verifyFile(this) {
    // This
    addAllowedParentDirectory(context.filesDir.allowDirectory())

    // Is the same as this:
    FileUriMatcherBuilder.FileUriMatcherCheck(
        context.filesDir,
        false
    )
}

See docs for full information, and "app" for an example

Recompilation protection

Safe to run uses inline functions as an added level of protection against reverse engineering. It is recommended that you use the inline implementation in many places throughout the application in order to harden against reverse engineering.

 private inline fun canIRun(actionOnFailure: () -> Unit) {
      if (safeToRun(buildSafeToRunCheckList {
              add {
                  banAvdEmulatorCheck()
              }

              add {
                  blacklistedAppCheck()
              }

              add {
                  rootDetectionCheck()
              }

              add {
                  banGenymotionEmulatorCheck()
              }

              add {
                  banBluestacksEmulatorCheck()
              }

              add {
                  safeToRunCombinedCheck(
                      listOf(
                          { bannedHardwareCheck("hardware") },
                          { bannedBoardCheck("board") }
                      )
                  )
              }

              add {
                  safeToRunCombinedCheck(
                      listOf { installOriginCheckWithDefaultsCheck() },
                      listOf { !BuildConfig.DEBUG }
                  )

              }
        
              add {
               verifySignatureCheck("Abc")
              }
          })()) {
          actionOnFailure()
      }
  }

About

A library to help verify the security of your android application

safetorun.com

Topics

android kotlin security mobile devsecops mobilesecurity androidsecurity securityascode

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

38 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

2.2.4 Latest
Jul 25, 2023
+ 4 releases

Sponsor this project

Packages

No packages published

Contributors 5

Languages