Safe to run

Why Safe to Run?

Safe to run provides an API for security as code to make Android application security easy

Need help? Want to get involved?

Slack channel


Safe to run has been developed in order to help developers secure their Android applications. Safe to run has two primary capabilities:

Safe to run - verify

The old adage in security goes: verify everything, trust nothing. Safe to run - Verify provides a simple but powerful way for developers verify intents, files, URLs and other types of vulnerable items
Input verification is intended to ensure that URLs are safe to load into webviews, or to make API calls or that intents coming from external sources match some predefined conditions. Check the documentation under 'input verification' to get started
Example use to prevent loading unsafe URLs

Safe to run - resilience

Checking if the device meets certain requirements - for example, you can ban rooted devices, emulators, enforce minimum OS versions or prevent an app running if certain software (e.g. banking trojans) are present on the phone.


Safe to run - resilience consists of a number of 'checks' which are detailed in the documentation. The purpose of these checks is to ensure that the app is 'safe to run' i.e. it meets the pre-conditions you have set.
Following are a list of things that Safe to run can help protect against and the checks that can help with them
Hardening against de & recompilation
Harden against reverse engineers and pentesters
Harden against insecure devices
Signature check
Root detection
OS Check
Blacklisting apps
Debug check
Install origin
Emulator check
A note on "Safe to run - Resilience":
No solution to tamper detection is foolproof, if someone is able to decompile your application and push it onto an unsuspecting device, it is possible remove the functionality of safe to run.
This just makes it that much harder...
Last modified 6mo ago