Reputation: 6037
prevent android app from cloning into Samsung Secure folder or others app of such nature?
I'm trying to figure out how secure folder works. It's creating clone application in secure folder. how I'll be able to prevent android phone from creating a clone.? screenshot is attached where you can see package name is same but the process id is different. It's a high risk for fin-tech or promotional campaign based apps. how to check if app is running inside a virtual machine or not.?
For instance
- package : com.example.app (6151)
- package : com.example.app (user 150) (6337)
Upvotes: 0
Views: 2215
Answers (1)
Reputation: 2960
As I have failed to express myself clearly enough in comments, I have decided to write a frame challenging answer to try and show you why I believe you are focusing on the wrong problem.
Summary: Your (perceived) "Samsung problem" (one phone; two accounts) is really just a special case of a wider "two phone problem" (two phones; two accounts). The relative ease with which an attacker could (ab)use two phones means that that is where you should first focus your defensive efforts. A by-product of successfully defending the "two phone problem" is that it will (as far as I can see) also defend against the specific "Samsung problem" that you are currently worried about.
Your Perceived Problem
In comments, you say:
[It's a] fintech (wallet app) basically we are trying to prevent user from installing two apps and using two different account on same device
and:
[It's a] fin-tech app and to avoid fraud and risk we want to prevent user from installing more than one app on same device
Although you don't give details, I'm happy to take at face value that one user having multiple accounts poses a risk of fraud. Many applications have rules against multiple accounts: for instance, with many online games multiple accounts could be used to "game the system" to get an unfair advantage.
What I would question is the relevance of "on same device".
(Almost Certainly) Your Real Problem
Ignoring Samsung's Secure Area for the moment, it's very easy to write your app so that a user can only use one account per phone. However, if someone doesn't already have a second phone lying around, they can get a second one for relatively little cost, install your application on that and configure it to use a second account.
From your perspective, it's equally as dangerous: two instances of your application, using two accounts, controlled by one person. From the attacker's perspective, it is very slightly less convenient (over using Samsung's Secure Area) because they have to carry two phones with them.
Your Priority
Therefore, your main priority should be to guard against the "two phones; two accounts" scenario.
For some applications, it is sufficient to write "you must not use multiple accounts" into the terms-of-service. If someone is found to be abusing the system, you can use the presence of that rule to ban them. For others, insisting on the user providing an email address, phone number or postal address – and guarding against duplicates – may be sufficient (although none of these checks are hard to bypass).
For banking and financial applications (such as yours), more stringent efforts must be made. Typically, something like National Insurance (NI) numbers (in the UK) or Social Security Numbers (SSN) in the US are used (and, presumably, similar "ID numbers" for the rest of the world). Legal requirements to "know your customer" generally make asking for such details acceptable.
Whatever method you use, because "having two phones" is no barrier to an attacker, you need your systems to be able to effectively defend against one user setting up two accounts from two separate devices.
The Bonus
If you have sufficiently strong defenses against one user using two phones to create two accounts, then at no extra cost you will – as far as I can see – have defended against the more specific "one phone; two accounts" scenario that you are asking about. Yes Samsung's Secure Area will allow a user to install your application a second time on a single phone, but when they come to create or register an account, your existing measures will prevent this in the same way as if they were using two separate phones.
While I cannot think of a way at the moment, I'll concede that it's just about conceivable that there is some very specific threat that only occurs when two instances of your application are installed on the same phone using Samsung's Secure Area. However, if that were to be the case, I think you would need to explain in more detail what that threat is, and why the (by then) existing protections against using two phones are not sufficient to deal with it.
Upvotes: 3
Related Questions
- Preventing an android app being cloned by an app cloner
- What measures i can take to stop users being able to clone my app?
- How to prevent the easy extraction of APK app installed on the phone
- Copy-protection traps
- How can I copy my application by having copy protection?
- Android How to restrict user from copying data from Application Folder..?
- Protect my java application from being copied (only for one pc)
- Remove copy protection in Android
- Copy protection in free apps for Android
- How to provide copy-protection for Android free apps