Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Root detection: Xamarin apps stop hackers before they can begin

May 7, 2018 7064 Views Sebastian Holst

How important is root detection?

  • Rooted devices can be extremely dangerous: When running on a rooted device, an otherwise harmless App can unmount file systems, kill processes, or run any arbitrary command.
  • Rooted devices are plentiful: In the annual Android Security 2017 Year in Review, Google reported that its SafetyNet service identifies over 14 million rooted devices DAILY.
  • Sensitive applications must include controls to mitigate these risks: Recent PCI Security Council guidelines and NIST controls are just two notable examples where rooted device detection and response obligations are explicitly assigned to development organizations. More generally, rooted access is synonymous with unauthorized privilege escalation and is, therefore, incorporated by reference in virtually every privacy obligation developers face, e.g. GDPR, HIPAA...

What’s new for Xamarin.Android developers?

New with Dotfuscator Professional 4.35.0 and Dotfuscator Community Edition (CE) 5.35.0, developers can, for the first time, inject rooted device detection and response controls into Xamarin.Android apps (injection means the logic is inserted post-compile – no coding required).

Want to dig deep?

Read this month’s MSDN Magazine article, Detect and Respond to Rooted Android Devices from Xamarin Apps that steps you through a detailed explanation of the feature, with links to sample code.

The article takes a sample Xamarin app, TodoAzureAuth authored by Xamarin’s David Britch, and adds rooted device detection and response in a way that maps to the PCI Mobile Payment Acceptance Security Guidelines published on 9/2017.

Specifically,

  • Detect that an app is running on a rooted device (offline or on a network)
  • Abort the initial session and permanently quarantine the app in future sessions
  • Report the incident to a central compliance service
  • Obfuscate the app to prevent analysis and tampering of the above controls
  • Automatically log the above implementation to demonstrate compliance for each build

Rooted Response

The sample app highlighted in the article extends the TodoAzureAuth with the behaviors illustrated in figure 1.

Figure 1: Flow illustrating TodoAzureAuth rooted device response behavior after it has been injected with the Dotfuscator Control. Note that Root detection serves as an effective proxy for Android emulator detection as well.

Obfuscated Binaries

Dotfuscator also obfuscates the TodoAzureAuth app to prevent hackers from

  • Identifying where and how the rooted device detection and response controls are implemented
  • Reverse-engineering embedded intellectual property (IP).

Figure 2: Sample output from obfuscated version of TodoAzureAuth.

Reporting via App Center Integration

The custom code injected by Dotfuscator connects each rooted device detection event with the app owner’s App Center account.

Figure 3: App Center integration

Automatically Generated Audit Records

The following Build Output can be stored and used to demonstrate that specific controls were injected on any given release.

Figure 4: Auto-logging of Build Reports

Post-compile injection configured through Dotfuscator UI

All of these controls plus obfuscation are configured through the Dotfuscator UI. Once configured, Dotfuscator can be invoked automatically as part of a continuous build process ensuring that every version of every app is effectively secured.

Figure 5: Dotfuscator configuration options.

Conclusion

With the latest release of Dotfuscator, Xamarin.Android developers can rely upon the same application hardening and runtime detection and response controls that classic .NET developers have been able to rely upon for anti-tamper and anti-debugger detection and response.

Attending Microsoft Build during the week of May 7th? Visit booth E61 and we can demo all of the above!


Get a Free Trial
Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.