- 17 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
Shielding rules syntax: repackaging checks
- Mis à jour le 17 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
Repackaging checks
App Shielding checks at the start of the application if the application is repackaged. The repackaging check consists of three parts:
Check that all expected files are present, that is, no file was removed.
Check that no unexpected file was added to the apk.
Verify the file integrity of a few selected files, that is, verify that the content of the file was not modified.
If the repackaging check fails, App Shielding reports the app as repackaged.
By default, all files that are present in the application when integrating App Shielding are expected, although there are a few well known exceptions. For example, Google Play inserts some files on converting an app bundle to an apk before the apk is installed.
By default, App Shielding verifies the file integrity of:
AndroidManifest.xml
classesX.dex
the App Shielding library.
For more information, see Repackaging detection.
skipVerifyPath
The Shielding Tool rule skipVerifyPath can be used to:
Add expected files that are not present in the application when integrating App Shielding
Override the verify rule, that is, tell App Shielding to not verify the integrity of some files.
This rule is necessary for the files that an app store is allowed to inject or change.
Using the skipVerifyPath option can be directed to only one file, or you can also skip several files via one rule using a * wildcard.
# Skip a file skipVerifyPath "res/xml/locales_config.xml"; # Skip all of the resources skipVerifyPath "res/*"; # Skip all of the classes.dex files skipVerifyPath "classes*.dex"; # Skip all of the assets files skipVerifyPath "assets/*";
verify
The verify rule allows adding files to the integrity check.
# Verify a single file verify "assets/my-asset.bin"; # Verify all files in the assets folder verify "^assets/.*"; # Verify all HTML/JS in the assets folder verify "^assets/(.+)\.(html|js)$";
If that file is modified between integrating App Shielding the application and running the application, App Shielding will report this as a repackaging event.
The skipVerifyPath rule overrides a verify rule. If you use a wildcard like skipVerifyPath "assets/*";, then the verify rule verify "assets/my-asset.bin"; will be ignored. That is, App Shielding will not check the file integrity of "assets/myasset. bin".
verify .so files
The verify option on .so files has some additional configuration possibilities. Those are included in braces, {}, behind the regular expression selecting the file names to verify, similar to obfuscation definitions. Each of the underlying options has to be separated with semicolon (“;”).
The following sub-options are supported for the verification of .so files:
List of sub-options for the verification option | |
Sub-option | Description |
---|---|
importedSymbol | To verify imported symbols (GOT function addresses) in the shared library. This option verifies that imported symbols are pointing within valid address ranges belonging to the application and Android core libraries. A hooking framework may hook those symbols, but in that case addresses will point outside of expected address range and shield shall detect this change when those libraries are used. |
skipImportedSymbol | To skip some symbol from the above verification. |
importedSymbolValue | To verify imported symbols (GOT function addresses) on a stricter way, by looking up symbols in the library dependencies and verifying that the provided symbol value is the same as the address exported by the source library for the same symbol name. App Shielding ensures that external function calls are directed to the right routines. Since this option triggers symbol lookup in App Shielding almost in the same manner as the dynamic linker would look up, if the GOT value is hooked, the address would not match. This method is slightly slower than the importedSymbol option and may result in false alarms on some older devices, but only for few specific symbols. The importedSymbolValue option overrides the importedSymbol option for the listed symbol. If both options are present, this one is going to be executed. We recommend using the importedSymbolValue option to verify the application’s own native exported symbols and possibly some critical system functions when the protected application can be verified on a broad range of devices. Exports from libc are often overridden by library exports provided by device manufacturers, which may cause problems during verification. |
textSection | To do a consistency check of the text section and look for differences between build time and run time (no further options needed as this applied to the whole text section). Text section verification is enabled by default. |
skipTextSection | To disable consistency check of the text section (no further options needed). |
Wild cards: asterisk (*) matches all available import symbols in the library and may be used for importedSymbol and importedSymbolValue options.
Use of verify should be done with care, as integrity checking of large amounts of assets could come with a performance penalty.
# Verify all native libraries inside the APK verify "lib/.*\.so"; # Verify all versions of libToCheck.so library inside the APK verify "lib/.*/libToCheck\.so" { importedSymbol *; importedSymbolValue important_sym@LIBMYLIB; textSection; }; # Verify all files inside the APK verify ".*";
By default, not all application files are specifically checked at startup for possible application launch time performance considerations. Integrity checks of large files may cause noticeably longer launch times.