0

Suppose I develop an online game that interacts with a server for Android. What I want to ensure is that the APK file running on a given users' device is the APK that I have uploaded to the Google Play Store. (Meaning, I'm trying to avoid situations where someone extracts the APK from a device, hacks it, sideloads it back onto the device and then uses it to play the game).

Are there services provided by Google, the Play Store, Android, etc that can do that? For instance, the Play Store might have a SHA256 checksum of that APK file. Since my game is integrated with Google Play (for saving your game and progress), is there some service that I could invoke to compare the currently running game with what the Play Store has registered?

My thinking is that I can't add validation to my application itself since a sufficiently motivated modder could just bypass or forge. I was hoping something might exist at the platform-level.

Thanks in advance!

GregEschbacher
  • 116
  • 2
  • 8
  • 1
    Does this answer your question? [Way to protect from Lucky Patcher / play licensing](https://stackoverflow.com/questions/10585961/way-to-protect-from-lucky-patcher-play-licensing) – Morrison Chang Jan 07 '20 at 18:57
  • Yes, this overalaps (although not entirely) nicely with my question, and the content there discusses some of the items I was asking about. Although, in that case, the developer was trying to prevent piracy of the app itself. In my case, the game itself is free and I'm trying to ensure high-quality online interactions by preventing hacked versions of the APK from interacting with the server. – GregEschbacher Jan 08 '20 at 16:34
  • If you are asking about server side security see the answers to: [If “you can never trust the client”, then why do companies such as Valve rely solely on client-side verification?](https://security.stackexchange.com/q/115331/90202) – Morrison Chang Jan 08 '20 at 20:57

1 Answers1

2

This seems to be what the SafetyNet Attestation API is for.

greeble31
  • 4,894
  • 2
  • 16
  • 30
  • It's close but not quite. While I'm worried about users running at Root being able to modify the game at runtime, what I'm seeing is that there are sites that will get an APK, hack it extensively and then share it with other users. The SafetyNetAttestation APIs you shared don't directly solve this issue. The users of the hacked APK might have entirely clean Android devices, but simply sideloaded a hacked APK by allowing installation from untrusted sources. – GregEschbacher Jan 08 '20 at 16:36
  • 1
    Never used it, and I don't claim to be an expert. Nevertheless, the presence of `apkPackageName` and `apkCertificateDigestSha256` in the attestation reponse, combined with the statement, "...your servers are interacting with your genuine app...", strongly suggests to me that the attestation includes a full app signature verification. Which makes sense; if `SafetyNet` trusts the _device/OS_, surely it can trust the device/OS to make a reliable signature check. – greeble31 Jan 08 '20 at 16:49