• 9

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I have developed an android application from Android Studio (Java) which contains Admob (Google) Ads.

My concern is any user who download my app can easily disable all the ads by using mods like Lucky Patcher or editing my APK by opening it with ShowJava like apps.

How can I identify if our app is been tampered with or illegally used by altering contents like removing ads?

      • 2
    • A wise person once told me that cyber security is like being chased by a hungry, angry black bear. You cannot stop the bear, you can only put traps and barriers in its way to try and slow it down. Hackers will always be out there, and you cannot control what other people do with your app once they download it. Your best bet is to design it in such a way as to make the hacker's job harder. How you do this depends on the nature of your app.
      • 2
    • Generally, avoid putting API keys directly in your app code, always encrypt passwords, use a credible third-party encryption service, if you're accepting payments, ALWAYS use a credible third-party service provider and NEVER store CC numbers directly on your server.
    • It appears that what is being asked is not so much cyber security as it is being able to detect if some kind of a modification has disabled some function of the application. The specific function is the delivery of ads. A first thought would be to do a checksum of the application memory area to see if the application has been patched. The other thing would be to monitor ad delivery and if ads aren't being delivered/displayed then there is something preventing the desired behavior.

How can I identify if our app is been tampered with or illegally used by altering contents like removing ads?

Yes it exists and is called Mobile App Attestation, and only applies for a mobile app that communicates with an API server under your control.

Before we continue I would like to clarify the difference between WHO and WHAT is accessing an API server.


The WHO is the user of the mobile app that you can authenticate,authorize and identify in several ways, like using OpenID or OAUTH2 flows.

Now you need a way to identify WHAT is calling your API server and here things become more tricky than most developers may think. The WHAT is the thing making the request to the API server, is it really your genuine mobile app or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

Well to identify the WHAT developers tend to resort to an API key that usually they hard-code in the code of their mobile app and some go the extra mile and compute it at run-time in the mobile app, thus becomes a dynamic secret in opposition to the former approach that is a static secret embedded in the code.


The use of a Mobile App Attestation solution will enable the API server to know WHAT is sending the requests, thus allowing to respond only to requests from a genuine mobile app while rejecting all other requests from unsafe sources.

My concern is any user who download my app can easily disable all the ads by using mods like Lucky Patcher or editing my APK by opening it with ShowJava like apps.

The role of a Mobile App Attestation service is to guarantee at run-time that your mobile app was not tampered or is not running in a rooted device by running a SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and device is running on. This is where you will get the protection against the LuckyPatcher and ShowJava apps, once they have tampered your original apk, the app will no longer pass the integrity checks off the cloud service, allowing your API server to reject the requests from the tampered mobile app.

On successful attestation of the mobile app integrity a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud are aware. In the case of failure on the mobile app attestation the JWT token is signed with a secret that the API server does not know.

Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature and expiration time in the JWT token and refuse them when it fails the verification.

Once the secret used by the Mobile App Attestation service is not known by the mobile app, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack.

So this solution works in a positive detection model without false positives, thus not blocking legit users while keeping the bad guys at bay.

The Mobile App Attestation service already exists as a SAAS solution at Approov(I work here) that provides SDKs for several platforms, including iOS, Android, React Native and others. The integration will also need a small check in the API server code to verify the JWT token issued by the cloud service. This check is necessary for the API server to be able to decide what requests to serve and what ones to deny.

  • 1
Reply Report