Reference¶
The complete integrity configuration is as follows:
private val integrity = KevlarIntegrity {
checks {
packageName {
// Allowed package name
hardcodedPackageName("com.kevlar.showcase")
}
signature {
// Allowed signature
hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
}
debug()
installer()
}
}
Once you require the attestation through attestate(context)
, any integrity mismatch that you requested will be included in the attestation.
Package name check¶
The packageName()
function tells kevlar to enable the integrity checks for the application package name.
This is a parametric setting, since kevlar needs to know what is the "right" application package name is. Once kevlar has all the required data it is able to differentiate between genuine and tampered binaries.
private val integrity = KevlarIntegrity {
checks {
packageName {
// Allowed package name
hardcodedPackageName("com.kevlar.showcase")
}
signature {
// Allowed signature
hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
}
debug()
installer()
}
}
You can find instruction on how to derive the right parameters for your app in implementation. In this case you simply have to pass in the package name of your app, so kevlar knows what is the right package.
Signature check¶
The signature()
function tells kevlar to enable the integrity checks for the application signature.
This is a parametric setting, since kevlar needs to know what is the "right" application signature is.
Once kevlar has all the required data, it is able to differentiate between genuine and tampered binaries (by checking the hardcoded data against the runtime-provided information).
private val integrity = KevlarIntegrity {
checks {
packageName {
// Allowed package name
hardcodedPackageName("com.kevlar.showcase")
}
signature {
// Allowed signature
hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
}
debug()
installer()
}
}
You can find instruction on how to derive the right parameters for your app in implementation.
Debug check¶
The debug()
function tells kevlar to enable integrity debug checks.
private val integrity = KevlarIntegrity {
checks {
packageName {
// Allowed package name
hardcodedPackageName("com.kevlar.showcase")
}
signature {
// Allowed signature
hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
}
debug()
installer()
}
}
If any debug flag is found on your application, it will be reported.
Installer check¶
The installer()
function tells kevlar to enable installer checks.
Since android R, google introduced new APIs to check for the original installer of a certain package.
With this check, you can instruct kevlar to analyze (if available) which software installed your application, and detect whether it is allowed or not by your security policy.
In this case, the only allowed installer package is the Google Play Store, but you can always add more (whitelist) through the allowInstaller
function.