6

I want to avoid people installing the app on virtual devices.

Is there any way to tell this? What is best you could do?

Ideally what i want to prevent as a whole is one person or entity creating many accounts to analyze my service easily. The app is only a portal and the processes are server only. I use captchas when account creation and while using the service to ensure human interaction. I also use push up tokens and other hardware and google information to ensure as much as possible the account is being used always from the same device, and passwords etc. if the user changes his device. In other words i want to maximize the human captcha solving cost as much as i can.

SaintJob 2.0
  • 171
  • 1
  • 5
  • http://stackoverflow.com/q/16213326/1068283 – Michael Hampton Jan 06 '14 at 00:20
  • "The app is only a portal and the processes are server only." - this is the way to approach the problem. Keep sensitive code and data on a server under your control. But I think your question on emulator detection is still valid within this context. For the folks putting the question on hold, Super User is clearly the wrong agenda for this question. –  Jan 06 '14 at 00:41

2 Answers2

6

I'm not sure that there is a way. You could examine the hardware configuration to see if it is using any of they typical emulated hardware, but if someone modifies their emulator, it could be setup to look very close to actual hardware. That is, in fact, the entire point of an emulator. I'm also not sure what you are trying to prevent by ensuring that it is running on an actual device. There isn't anything in particularly that I can think of that you can do with an emulator that you can't do with a physical device, unless you are also checking that root is not enabled, though a sophisticated attacker could probably bypass most checks of root as well.

Fundamentally, you can't secure hardware you can't trust. If it is that critical, offload the process to a server that you have control of. You have to trust your user and your user hardware if you want to do anything important on it. Otherwise, the best you can do is obfuscate, but that is then the same realm as DRM and provides pretty minimal security. If the device can do it, a user can figure out what the device is doing. The only way to prevent that for sure is to prevent the user from having access to the device doing the work.

AJ Henderson
  • 42,081
  • 5
  • 65
  • 112
  • Ideally what i want to prevent as a whole is one person or entity creating many accounts to analyze my service easily. The app is only a portal and the processes are server only. I use captchas when account creation and while using the service to ensure human interaction. I also use push up tokens and other hardware and google information to ensure as much as possible that the account is being used always from the same device, and passwords etc. if the user changes his device. In other words i want to maximize the human captcha solving cost as much as i can. I edit the post with this info* – SaintJob 2.0 Jan 05 '14 at 18:59
  • 1
    @SaintJob2.0 - in that case, make them register an account and look for IP addresses registering a bunch of accounts or with similar account details. Take the Android out of it and instead focus on the core problem that you need to enforce unique users as best possible. – AJ Henderson Jan 05 '14 at 19:24
  • Yes, i'm doing that already. The only threat that has is having lots of ips available through some kind of virus/troyan spread specifically for that purpose. And thus we end again having the same problem with one modified app installed on a real device that uses those viruses. Guess i've done all it's possible for now ^^. Thanks. – SaintJob 2.0 Jan 05 '14 at 19:44
  • @SaintJob2.0 if you are up against that sophisticated of an attacker, they could also just use general reverse engineering tools against your program (like decompilation and such). – AJ Henderson Jan 05 '14 at 22:46
  • Yes i'm aware of it, but maybe there was something done by google for some devices like tracking and having a list of trusted hardware devices id and allowing some kind of checking. In fact having a considerable number of trusted users would be really valuable for me so i can detect any abnormal behavior on others. – SaintJob 2.0 Jan 05 '14 at 23:11
  • Well, i'm going to delete the question because it looks its off topic anyways... thanks for the answer. – SaintJob 2.0 Jan 05 '14 at 23:22
  • 2
    I'm not sure its off topic in the context of analysis. See, for example, https://www.google.com/search?q=red+pill+blue+pill+site:blackhat.com. They are all about detecting emulation and resisting analysis (or building stealthier emulation). –  Jan 06 '14 at 00:38
  • @noloader - as long as it is clarified to being a question about preventing reverse engineering by trying to limit it to secure devices, then I think it is probably on topic, but there unfortunately still isn't a particularly good answer though since anything real hardware can do, an emulator can be made to impersonate. That is, in fact, the entire point of an emulator. If we had a true trusted platform setup, then a private device key inaccessible to the user could be used, but I don't think any mass market consumer product has ever done that and it would have other scary implications. – AJ Henderson Jan 06 '14 at 00:57
  • 2
    be aware that virtualised/emulated Android environments will soon be a real use case for Windows 8.1 users, see http://arstechnica.com/gadgets/2014/01/putting-windows-and-android-on-the-same-pc-doesnt-solve-anyones-problems/ – Callum Wilson Jan 06 '14 at 11:44
5

This is actually answered over on SO:

https://stackoverflow.com/questions/2799097/how-can-i-detect-when-an-android-application-is-running-in-the-emulator

You can't actually prevent it being installed however as your app isn't going to be launched until it has been installed and to the best of my knowledge there is no way to have something run on installation either, so you'll have to wait until you've been installed and launched through some intent before performing the check that you are on a physical device.

I think because you are asking it here though you are probably looking for an understanding of the security implications to this. The problem is, if you don't want your app running on the simulator but only on a physical device because you are concerned about someone looking at what your app is going, I'm afraid you are out of luck. Keep in mind that a physical device can be rooted and then you are really out of luck as there is really no way to know then what is going on behind the scenes.

Community
  • 1
Mark Fidell
  • 166
  • 3