🔓Why Safe to Run?

Safe to run provides an API for security as code to make Android application security easy

Need help? Want to get involved?

Slack channel

Join our slack!

Overview

Safe to run has been developed in order to help developers secure their Android applications. Safe to run has two primary capabilities:

Safe to run - verify

The old adage in security goes: verify everything, trust nothing. Safe to run - Verify provides a simple but powerful way for developers verify intents, files, URLs and other types of vulnerable items

Input verification is intended to ensure that URLs are safe to load into webviews, or to make API calls or that intents coming from external sources match some predefined conditions. Check the documentation under 'input verification' to get started

Example use to prevent loading unsafe URLs

Safe to run - resilience

Checking if the device meets certain requirements - for example, you can ban rooted devices, emulators, enforce minimum OS versions or prevent an app running if certain software (e.g. banking trojans) are present on the phone.

Checks

Safe to run - resilience consists of a number of 'checks' which are detailed in the documentation. The purpose of these checks is to ensure that the app is 'safe to run' i.e. it meets the pre-conditions you have set.

Following are a list of things that Safe to run can help protect against and the checks that can help with them

Hardening against de & recompilationHarden against reverse engineers and pentestersHarden against insecure devices

Signature check

[x]

[x]

Root detection

[x]

[x]

OS Check

[x]

Blacklisting apps

[x]

Debug check

[x]

Install origin

[x]

Emulator check

[x]

[x]

A note on "Safe to run - Resilience":

No solution to tamper detection is foolproof, if someone is able to decompile your application and push it onto an unsuspecting device, it is possible remove the functionality of safe to run.

This just makes it that much harder...

Last updated