Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Android SDK

Security controls

search

Security controls

Debug detection

The Android SDK has an ability to detect if the app works in a debug mode or in a debuggable environment (for example if it's running on an emulator or on a physical device with an operating system which allows debugging all applications - like the LineageOS). If debug mode detection is enabled and debug is detected, then the Android SDK will not allow executing any security related flow. A special event will be logged indicating that connection attempt from the potentially unreliable device was made.

Root detection

The Android SDK is capable to detect whenever device running the application is rooted. If detection is enabled and device is rooted, then the Android SDK will not allow to execute any security related flow. Also special event will be logged indicating that connection from potentially unreliable device was sent.

SecurityController

In some cases you may want to disable root or debug detection, or display additional debug logs. We advice you to not do this for production apps, because it can introduce security vulnerabilities to your product. However, you might want to enable it during development or when you try to debug an error. For such cases the Android SDK uses the Context.getPackageName() method to search for a class called {your.application.package}.SecurityController. The class can contain public static boolean fields that can change the default security options of the Android SDK:

  • debugDetection (default TRUE) - when set to FALSE the Android SDK will disable the debug detection feature
  • rootDetection (default TRUE) - when set to FALSE the Android SDK will disable the root detection feature
  • debugLogs (default FALSE) - when set to TRUE the Android SDK will print network logs to the Android Logcat

Note

Note the SecurityController can be also created by the Android SDK Configurator. The configurator will set desired root and debug detection flags when needed, but it will not add the "debugLogs" flag.

The SecurityController can't be obfuscated. Otherwise the Android SDK won't be able to find it. If you want to use SecurityController in an obfuscated app, you should add a proper "keep" rule, for example:

-keep class com.onegini.mobile.android.demo.SecurityController { *; }

Example

A setup with disabled root detection and network logs would appear as follows:

package com.onegini.mobile.android.demo;

public final class SecurityController {
  public static final boolean debugDetection = true; // default value, so this line can be removed
  public static final boolean rootDetection = false;
  public static final boolean debugLogs = false; // default value, so this line can be removed
}

Product flavors

If you use product flavours and dynamically change the applicationId using applicationIdSuffix the SecurityController class may be unable to be found by the Android SDK. In this you must manually specify the location of the SecurityController class. You can do that by using the OneginiClientBuilder#setSecurityController() method. Below you can find a code example.

On this page