get to prod tasks
This commit is contained in:
86
tasks/android-production/06-root-detection.md
Normal file
86
tasks/android-production/06-root-detection.md
Normal file
@@ -0,0 +1,86 @@
|
||||
# 06. Root Detection & Obfuscation (R8/ProGuard)
|
||||
|
||||
meta:
|
||||
id: android-production-06
|
||||
feature: android-production
|
||||
priority: P1
|
||||
depends_on: []
|
||||
tags: [security, hardening, production]
|
||||
|
||||
objective:
|
||||
- Enable code obfuscation with R8/ProGuard and implement root detection to protect the app on compromised devices
|
||||
|
||||
deliverables:
|
||||
- R8/ProGuard enabled in release builds
|
||||
- Root detection implementation
|
||||
- Anti-tampering measures
|
||||
- Code obfuscation rules
|
||||
|
||||
steps:
|
||||
1. Enable R8/ProGuard:
|
||||
- Set isMinifyEnabled = true in app/build.gradle.kts (currently false)
|
||||
- Set isShrinkResources = true
|
||||
- Add proguard-rules.pro with keep rules:
|
||||
- Keep tRPC model classes (for serialization)
|
||||
- Keep Retrofit interfaces
|
||||
- Keep Compose navigation routes
|
||||
- Keep Dagger/Hilt modules
|
||||
2. Configure ProGuard rules:
|
||||
- Keep all data model classes (User, Alert, Exposure, etc.)
|
||||
- Keep Retrofit service interfaces
|
||||
- Keep Hilt/Dagger components
|
||||
- Keep Compose preview functions
|
||||
- Keep enum values used in serialization
|
||||
3. Implement root detection:
|
||||
- Use RootBeer or similar library
|
||||
- Check for common root indicators:
|
||||
- su binary presence
|
||||
- Busybox installation
|
||||
- Test keys build
|
||||
- Dangerous props
|
||||
- Add custom checks for Magisk
|
||||
4. Define root response:
|
||||
- Degrade functionality (no biometric, no payments)
|
||||
- Alert backend of root detection
|
||||
- Allow basic monitoring features
|
||||
5. Add anti-tampering:
|
||||
- Verify app signature at runtime
|
||||
- Check installer source (Google Play)
|
||||
- Detect debug mode in release builds
|
||||
- Detect emulator usage
|
||||
6. Test obfuscation:
|
||||
- Build release APK/AAB
|
||||
- Verify classes obfuscated
|
||||
- Test app functionality after obfuscation
|
||||
- Verify no crashes from missing classes
|
||||
|
||||
tests:
|
||||
- Build: Release build succeeds with R8 enabled
|
||||
- Security: Root detection works on rooted device
|
||||
- Functionality: App works correctly after obfuscation
|
||||
|
||||
acceptance_criteria:
|
||||
- R8/ProGuard enabled (isMinifyEnabled = true)
|
||||
- Resource shrinking enabled (isShrinkResources = true)
|
||||
- ProGuard rules preserving all necessary classes
|
||||
- Root detection active with multiple methods
|
||||
- App degrades gracefully on rooted devices
|
||||
- Backend alerted when root detected
|
||||
- Code obfuscated in release builds
|
||||
- Anti-tampering verifying app signature
|
||||
- No crashes from obfuscation
|
||||
- Release APK/AAB size reduced by >30%
|
||||
|
||||
validation:
|
||||
- Build release → succeeds, no ProGuard warnings
|
||||
- Decompile release APK → classes obfuscated
|
||||
- Run on rooted device → degraded mode activated
|
||||
- Run on non-rooted device → full functionality
|
||||
- Check size → release build smaller than debug
|
||||
|
||||
notes:
|
||||
- R8 is the modern replacement for ProGuard in Android
|
||||
- isMinifyEnabled = false currently — this is a critical security gap
|
||||
- Root detection can be bypassed — use as defense in depth
|
||||
- Keep rules are critical — missing keeps cause runtime crashes
|
||||
- Test thoroughly after enabling R8 — many issues only appear in release
|
||||
Reference in New Issue
Block a user