Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/android-production/06-root-detection.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.9 KiB
Raw Permalink Blame History

06. Root Detection & Obfuscation (R8/ProGuard)

meta: id: android-production-06 feature: android-production priority: P1 depends_on: [] tags: [security, hardening, production]

objective:

  • Enable code obfuscation with R8/ProGuard and implement root detection to protect the app on compromised devices

deliverables:

  • R8/ProGuard enabled in release builds
  • Root detection implementation
  • Anti-tampering measures
  • Code obfuscation rules

steps:

  1. Enable R8/ProGuard:
    • Set isMinifyEnabled = true in app/build.gradle.kts (currently false)
    • Set isShrinkResources = true
    • Add proguard-rules.pro with keep rules:
      • Keep tRPC model classes (for serialization)
      • Keep Retrofit interfaces
      • Keep Compose navigation routes
      • Keep Dagger/Hilt modules
  2. Configure ProGuard rules:
    • Keep all data model classes (User, Alert, Exposure, etc.)
    • Keep Retrofit service interfaces
    • Keep Hilt/Dagger components
    • Keep Compose preview functions
    • Keep enum values used in serialization
  3. Implement root detection:
    • Use RootBeer or similar library
    • Check for common root indicators:
      • su binary presence
      • Busybox installation
      • Test keys build
      • Dangerous props
    • Add custom checks for Magisk
  4. Define root response:
    • Degrade functionality (no biometric, no payments)
    • Alert backend of root detection
    • Allow basic monitoring features
  5. Add anti-tampering:
    • Verify app signature at runtime
    • Check installer source (Google Play)
    • Detect debug mode in release builds
    • Detect emulator usage
  6. Test obfuscation:
    • Build release APK/AAB
    • Verify classes obfuscated
    • Test app functionality after obfuscation
    • Verify no crashes from missing classes

tests:

  • Build: Release build succeeds with R8 enabled
  • Security: Root detection works on rooted device
  • Functionality: App works correctly after obfuscation

acceptance_criteria:

  • R8/ProGuard enabled (isMinifyEnabled = true)
  • Resource shrinking enabled (isShrinkResources = true)
  • ProGuard rules preserving all necessary classes
  • Root detection active with multiple methods
  • App degrades gracefully on rooted devices
  • Backend alerted when root detected
  • Code obfuscated in release builds
  • Anti-tampering verifying app signature
  • No crashes from obfuscation
  • Release APK/AAB size reduced by >30%

validation:

  • Build release → succeeds, no ProGuard warnings
  • Decompile release APK → classes obfuscated
  • Run on rooted device → degraded mode activated
  • Run on non-rooted device → full functionality
  • Check size → release build smaller than debug

notes:

  • R8 is the modern replacement for ProGuard in Android
  • isMinifyEnabled = false currently — this is a critical security gap
  • Root detection can be bypassed — use as defense in depth
  • Keep rules are critical — missing keeps cause runtime crashes
  • Test thoroughly after enabling R8 — many issues only appear in release
Reference in New Issue View Git Blame Copy Permalink