The app detects, and responds to, tampering with executable files and critical data within its own sandbox.

Testing File Integrity Checks

Overview
There are two topics related to file integrity:

Code integrity checks: In the -- Tampering and Reverse Engineering -- chapter, we discussed Android's APK code signature check. We also saw that determined reverse engineers can easily bypass this check by re-packaging and re-signing an app. To make this bypassing process more involved, a protection scheme can be augmented with CRC checks on the app byte-code, native libraries, and important data files. These checks can be implemented on both the Java and the native layer. The idea is to have additional controls in place so that the app only runs correctly in its unmodified state, even if the code signature is valid.
The file storage integrity checks: The integrity of files that the application stores on the SD card or public storage and the integrity of key-value pairs that are stored in SharedPreferences should be protected.

Sample Implementation - Application Source Code

Integrity checks often calculate a checksum or hash over selected files. Commonly protected files include

AndroidManifest.xml,
class files *.dex,
native libraries (*.so).

Sample Implementation - Storage

When providing integrity on the storage itself, you can either create an HMAC over a given key-value pair (as for the Android SharedPreferences) or create an HMAC over a complete file that's provided by the file system.

When using an HMAC, you can use a bouncy castle implementation or the AndroidKeyStore to HMAC the given content.

Complete the following procedure when generating an HMAC with BouncyCastle:

Make sure BouncyCastle or SpongyCastle is registered as a security provider.
Initialize the HMAC with a key (which can be stored in a keystore).
Get the byte array of the content that needs an HMAC.
Call doFinal on the HMAC with the byte-code.
Append the HMAC to the bytearray obtained in step 3.
Store the result of step 5.

Complete the following procedure when verifying the HMAC with BouncyCastle:

Make sure that BouncyCastle or SpongyCastle is registered as a security provider.
Extract the message and the HMAC-bytes as separate arrays.
Repeat steps 1-4 of the procedure for generating an HMAC.
Compare the extracted HMAC-bytes to the result of step 3.

When generating the HMAC based on the Android Keystore, then it is best to only do this for Android 6 and higher.

Bypassing File Integrity Checks
Bypassing the application-source integrity checks

Patch the anti-debugging functionality. Disable the unwanted behavior by simply overwriting the associated byte-code or native code with NOP instructions.
Use Frida or Xposed to hook file system APIs on the Java and native layers. Return a handle to the original file instead of the modified file.
Use the kernel module to intercept file-related system calls. When the process attempts to open the modified file, return a file descriptor for the unmodified version of the file.

Refer to the -- Tampering and Reverse Engineering -- section for examples of patching, code injection, and kernel modules.
Bypassing the storage integrity checks

Retrieve the data from the device, as described in the section on device binding.
Alter the retrieved data and then put it back into storage.

Effectiveness Assessment
For application-source integrity checks

Run the app in an unmodified state and make sure that everything works. Apply simple patches to classes.dex and any .so libraries in the app package. Re-package and re-sign the app as described in the -- Basic Security Testing -- chapter, then run the app. The app should detect the modification and respond in some way. At the very least, the app should alert the user and/or terminate. Work on bypassing the defenses and answer the following questions:

Can the mechanisms be bypassed trivially (e.g., by hooking a single API function)?
How difficult is identifying the anti-debugging code via static and dynamic analysis?
Did you need to write custom code to disable the defenses? How much time did you need?
What is your assessment of the difficulty of bypassing the mechanisms?

For storage integrity checks

An approach similar to that for application-source integrity checks applies. Answer the following questions:

Can the mechanisms be bypassed trivially (e.g., by changing the contents of a file or a key-value)?
How difficult is getting the HMAC key or the asymmetric private key?
Did you need to write custom code to disable the defenses? How much time did you need?
What is your assessment of the difficulty of bypassing the mechanisms?

Testing File Integrity Checks (MSTG-RESILIENCE-3)