Skip to content

Reference

The complete integrity configuration is as follows:

Complete settings
private val integrity = KevlarIntegrity {
    checks {
        packageName {
            // Allowed package name
            hardcodedPackageName("com.kevlar.showcase")
        }
        signature {
            // Allowed signature
            hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
        }

        debug()
        installer()
    }
}

Once you require the attestation through attestate(context), any integrity mismatch that you requested will be included in the attestation.

withContext(externalDispatcher) {
    val attestation = integrity.attestate(context)
}

Package name check

The packageName() function tells kevlar to enable the integrity checks for the application package name.

This is a parametric setting, since kevlar needs to know what is the "right" application package name is. Once kevlar has all the required data it is able to differentiate between genuine and tampered binaries.

private val integrity = KevlarIntegrity {
    checks {
        packageName {
            // Allowed package name
            hardcodedPackageName("com.kevlar.showcase")
        }
        signature {
            // Allowed signature
            hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
        }

        debug()
        installer()
    }
}

You can find instruction on how to derive the right parameters for your app in implementation. In this case you simply have to pass in the package name of your app, so kevlar knows what is the right package.

Signature check

The signature() function tells kevlar to enable the integrity checks for the application signature.

This is a parametric setting, since kevlar needs to know what is the "right" application signature is.

Once kevlar has all the required data, it is able to differentiate between genuine and tampered binaries (by checking the hardcoded data against the runtime-provided information).

private val integrity = KevlarIntegrity {
    checks {
        packageName {
            // Allowed package name
            hardcodedPackageName("com.kevlar.showcase")
        }
        signature {
            // Allowed signature
            hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
        }

        debug()
        installer()
    }
}

You can find instruction on how to derive the right parameters for your app in implementation.

Debug check

The debug() function tells kevlar to enable integrity debug checks.

private val integrity = KevlarIntegrity {
    checks {
        packageName {
            // Allowed package name
            hardcodedPackageName("com.kevlar.showcase")
        }
        signature {
            // Allowed signature
            hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
        }

        debug()
        installer()
    }
}

If any debug flag is found on your application, it will be reported.

Installer check

The installer() function tells kevlar to enable installer checks.

Since android R, google introduced new APIs to check for the original installer of a certain package.

With this check, you can instruct kevlar to analyze (if available) which software installed your application, and detect whether it is allowed or not by your security policy.

In this case, the only allowed installer package is the Google Play Store, but you can always add more (whitelist) through the allowInstaller function.

private val integrity = KevlarIntegrity {
    checks {
        packageName {
            // Allowed package name
            hardcodedPackageName("com.kevlar.showcase")
        }
        signature {
            // Allowed signature
            hardcodedSignatures("J+nqXLfuIO8B2AmhkMYHGE4jDyw=")
        }

        debug()
        installer {
            allowInstaller("com.sec.android.app.samsungapps")
        }
    }
}