Android - App Hash - Monitor (Pro)
You can validate the hash of the whole app to ensure that the entire binary and so the app itself has not been tampered with. This validation is slightly more complex as you need to compare the local hash of the application with a remote hash to check its integrity.
Monitor
To monitor the hash of the app, AntiCheat has introduced the 'AndroidPackageHashMonitor', which can be found in the 'GUPS.AntiCheat.Monitor.Android' namespace. The monitor calculate the hash of the entire app (APK/AAB) itself and notifies observers using the 'AndroidHashStatus' about the calculated hash. This hash can be compared with a remote source to detect if the app is in it original state or was modified or tampered with.
Monitor Status
The monitor calculates the hash of the whole app in its Start callback. After calculation the observers will be notified with the 'AndroidHashStatus'. The status contains the following properties:
- FailedToRetrieveData: Represents if the hash could not be retrieved or an exception occurred. And no valid value is returned.
- Algorithm: The algorithm used to hash the app.
- Hash: The hash of the whole app itself as hex string.
Supported Platforms
The monitor is only available on Android platforms.
Requirements
Requires an Android build with at least Android 4.4 (API level 19) (December 2013).
How To Use
The usage is quite simple, attach the 'AndroidPackageHashMonitor' to a child GameObject of the 'AntiCheat-Monitor', assign the used hash algorithm in the 'AntiCheat-Project Settings' and setup the 'AndroidPackageTamperingDetector'.
Add Monitor Component
Add the 'AndroidPackageHashMonitor' MonoBehavior from the 'GUPS.AntiCheat.Monitor.Android' namespace to your 'AntiCheat-Monitor' GameObject or better to a child GameObject.
Add the 'AndroidPackageHashMonitor' as Component.
When running on an Android device, the app hash is calculated in the 'Start' method of the 'AndroidPackageHashMonitor' MonoBehaviour. As soon as the hash was calculated, an 'AndroidHashStatus' is sent to observers (usually detectors next to the monitor). If the hash could not be calculated, a status containing the error is also sent.
Hash Algorithm
To calculate the app hash, an algorithm is needed. AntiCheat supports the following algorithms:
| Hash-Algorithm | Description |
|---|---|
| None | No hash algorithm is used. |
| MD5 | MD5 hash algorithm. Not recommended for security purposes. |
| SHA1 | SHA1 hash algorithm. Not recommended for security purposes. |
| SHA256 | SHA256 hash algorithm. |
| SHA384 | SHA384 hash algorithm. |
| SHA512 | SHA512 hash algorithm. |
To assign the used algorithm for the app hash calculation, go to 'Project Settings -> GuardingPearSoftware -> AntiCheat'. Go to the section 'Android - App Hash - Settings'. Activate the 'Verify app hash' checkbox and assign the algorithm you would like to use. Recommended is the SHA256 algorithm.
In the AntiCheat Project Settings assign the used algorithm for hashing.
Detect Invalid Hash
To react to the sent status and so validate the calculated hash, you need a detector. To do this, use the 'AndroidPackageTamperingDetector', an aggregated detector that can react to various attempts to tamper with the Android app itself.