{"id":27880600,"url":"https://github.com/kevlar-kt/kevlar","last_synced_at":"2025-05-05T04:03:17.895Z","repository":{"id":49338310,"uuid":"468138363","full_name":"kevlar-kt/kevlar","owner":"kevlar-kt","description":"Android Security Toolkit \u0026 Framework","archived":false,"fork":false,"pushed_at":"2024-06-23T23:43:15.000Z","size":9060,"stargazers_count":72,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-24T00:57:53.750Z","etag":null,"topics":["android","antipiracy","integrity","kotlin","rooting","seccurity"],"latest_commit_sha":null,"homepage":"https://kevlar-kt.github.io/kevlar","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kevlar-kt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-10T00:30:26.000Z","updated_at":"2024-06-23T23:43:18.000Z","dependencies_parsed_at":"2024-02-13T00:44:38.007Z","dependency_job_id":null,"html_url":"https://github.com/kevlar-kt/kevlar","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevlar-kt%2Fkevlar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevlar-kt%2Fkevlar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevlar-kt%2Fkevlar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevlar-kt%2Fkevlar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kevlar-kt","download_url":"https://codeload.github.com/kevlar-kt/kevlar/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252436292,"owners_count":21747470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","antipiracy","integrity","kotlin","rooting","seccurity"],"created_at":"2025-05-05T04:02:27.342Z","updated_at":"2025-05-05T04:03:17.851Z","avatar_url":"https://github.com/kevlar-kt.png","language":"Kotlin","funding_links":[],"categories":["Kotlin"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/kevlar-kt/kevlar\"\u003e\u003cimg width=\"100\" src=\"https://github.com/kevlar-kt/kevlar/raw/master/art/kevlar-kt/web/icon-512.png\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eKevlar\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/kevlar-kt/kevlar/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/tag/kevlar-kt/kevlar\" alt=\"Latest tag\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/kevlar-kt/kevlar/actions?query=workflow%3A%22Build%22\"\u003e\u003cimg src=\"https://github.com/kevlar-kt/kevlar/actions/workflows/push-debug-build.yaml/badge.svg\" alt=\"Android CI\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://source.android.com/setup/start/build-numbers\"\u003e\u003cimg src=\"https://img.shields.io/badge/minSdk-19-00E676.svg\" alt=\"Android Min Sdk\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://kotlinlang.org/docs/releases.html\"\u003e\u003cimg src=\"https://img.shields.io/badge/kotlin-1.9.22-orange.svg\" alt=\"Kotlin\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://androidweekly.net/issues/issue-528\"\u003e\u003cimg src=\"https://img.shields.io/badge/AndroidWeekly-528-5bb3e2\" alt=\"AndroidWeekly Issue\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://us12.campaign-archive.com/?u=f39692e245b94f7fb693b6d82\u0026id=15eb56d1f5\"\u003e\u003cimg src=\"https://img.shields.io/badge/KotlinWeekly-315-%238a78e8\" alt=\"Kotlin\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/kevlar-kt/kevlar/blob/master/LICENSE.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\n## Index\nSee the [project's website](https://kevlar-kt.github.io/kevlar) for docs and reference.\n\nSee the [showcase module](https://github.com/kevlar-kt/kevlar/tree/master/showcase/src/main/kotlin/com/kevlar/showcase) for code samples and library usage.\n\nSee the [integration](https://kevlar-kt.github.io/kevlar/pages/overview/dependencies_integration/) page for the dependencies, check a package's implementation page for a comprehensive and specific guide.\n\n\n\n## Abstract\nKevlar is a security toolkit (library) for Android apps.\nIt is divided in 3 packages ([antipiracy], [rooting] and [integrity]), each containing specific tooling and components.\n\n[antipiracy]: https://kevlar-kt.github.io/kevlar/pages/modules/antipiracy/antipiracy/\n[rooting]:    https://kevlar-kt.github.io/kevlar/pages/modules/rooting/rooting/\n[integrity]:  https://kevlar-kt.github.io/kevlar/pages/modules/integrity/integrity/\n\nIts purpose is to be an auditing tool, used to inspect the security environment on Android devices.\n\nA security environment is the security state of a device, which can be probed with the different packages kevlar provides. \n\nEach package focuses on a specific security environment area:\n\n- `antipiracy` detects the presence of pirate software installed on the device (user-wise security);\n- `rooting` detects the presence of root access, custom binaries, and abnormal OS status (system-wise security);\n- `integrity` detects certain types of tampering attempts your app may have been targeted with (app-wise security).\n\nKevlar is intended to be used any time it is deemed necessary to determine whether the device your app is running on can be regarded as secure, according to your policies and security requirements.\n\n\n## Security Environment\nThe security environment is the status of the device.\nThis is subdivided into **system-wise** security (system modifications, rooting, custom binaries, custom ROMs, emulator, SELinux),\n**user-wise** security (pirate stores and pirate apps),\nand **app-wise** security (tampering, recompiling, changed signature \u0026 metadata)\n\n\n## Flexibility\nKevlar does not automatically detect a \"standard\" unsafe environment and give a 0/1 answer.\nThe kind of environment that is acceptable for your app to run in can be configured in each package individually.\n\nYou may be indifferent to some things (e.g. root detection) and very sensitive about others (e.g. app tampering \u0026 piracy detection).\nYou can customize the set of checks the library executes in each package.\nOnce you define your constraints, kevlar modules will operate accordingly.\n\nIf you don't explicitly instruct kevlar to check for a feature, then that feature will not be reported, regardless of its presence (or absence) on the device.\n\n\n## Design\nEach kevlar package contains custom implementations for what it has to scan for, but they all share the same overall structure, to make it easy to work with. Once you learn how to use a package, then you can transfer that knowledge to the other ones.\n\n\n``` mermaid\ngraph LR\n  I[Inizialization] -.Settings..-\u003e K{Kevlar};\n  AREQ[Attestation Requests] --\u003e K\n  K --\u003e ARES[Attestation Result]\n  ARES --\u003e |Clear| P[Passed];\n  ARES --\u003e |Failed| NP[Not Passed];\n```\n\nThe founding idea is a flow of attestations. You initialize the package passing to it your settings (what you want to check for). Then you can go ahead and start requesting attestations. An attestation can either be Clear (passed) or Failed (non passed), according to your detection settings.\n\nThere may be one or more types of attestation you can request, and you can choose what you want by requesting different ones, to enforce granular control and run efficiently.\n\nUnder the hood, each package will call its implementations and run those checks against the operating system/current app, but you'll eventually get an `Attestation` back, so your only job is to check whether it is clear or not.\n\nThis makes security declarative: you express your constraints and requirements once while configuring kevlar, which will then take care of - when asked -  producing a report (attestation) for your specific configuration, telling you what was found. And finally you can analyze this report and act accordingly, repeating the process as many times as needed.\n\n## Use Cases\nCommon use cases for security environment checks are applications managing sensitive resources, such as in-app purchases and subscriptions, valuable server-side resources or APIs, financial transactions, and anything that has a value that gets managed through your app/client.\n\nIdeally, you should request an attestation whenever your client wants to verify the status of the security environment before proceeding with the high-value action.\n\nKevlar is a sort of guard statement for those actions, which should decrease the probability of an attacker successfully breaking your application's high-value transaction.\n\n\n## Accuracy\nThis tool is meant to be an approximate form of environment analysis and estimation.\nIt covers a large number of attack vectors and does a good job at it.\n\nThis does not mean that it is unbreakable. You can find more details in [philosophy], but essentially\nit is a level 0 protection that can be removed by manually reverse engineering your app.\n\n[philosophy]: https://kevlar-kt.github.io/kevlar/pages/overview/philosophy/\n\nThis doesn't render it useless, it is very efficient in doing *what it is designed to do*: protecting against automated and unskilled attacks,\nwhich will most certainly be the vast majority of what your app will ever be put through.\n\n\n## Additions \u0026 Alternatives\nKevlar resembles what may look like an in-house protection system. It is open source, flexible and rich of features.\n\nFor stricter scenarios where higher fidelity and accuracy are required, you should be using something more specific (and radically different).\n\n- [Play Integrity](https://developer.android.com/google/play/integrity) \u0026 \u003cs\u003e[SafetyNet](https://developer.android.com/training/safetynet)\u003c/s\u003e from Google;\n- [AppCheck](https://firebase.google.com/products/app-check) from Firebase;\n- [ProGuard](https://www.guardsquare.com/proguard) and [DexGuard](https://www.guardsquare.com/dexguard) from GuardSquare.\n\n\n## Dependencies\n\n### Antipiracy \n\u003ca href=\"https://search.maven.org/artifact/io.github.kevlar-kt/antipiracy\"\u003e\u003cimg src=\"https://img.shields.io/maven-central/v/io.github.kevlar-kt/antipiracy.svg?label=Antipiracy\" alt=\"Download from MavenCentral\"\u003e\u003c/a\u003e\n  \n\n```gradle\ndependencies {\n    implementation 'com.github.kevlar-kt:antipiracy:1.2.0'\n}\n```\n\n### Rooting  \n\u003ca href=\"https://search.maven.org/artifact/io.github.kevlar-kt/rooting\"\u003e\u003cimg src=\"https://img.shields.io/maven-central/v/io.github.kevlar-kt/rooting?label=Rooting\" alt=\"Download from MavenCentral\"\u003e\u003c/a\u003e\n\n```gradle\ndependencies {\n    implementation 'com.github.kevlar-kt:rooting:1.2.0'\n}\n```\n\n\n### Integrity \n\u003ca href=\"https://search.maven.org/artifact/io.github.kevlar-kt/integrity\"\u003e\u003cimg src=\"https://img.shields.io/maven-central/v/io.github.kevlar-kt/integrity?label=Integrity\" alt=\"Download from MavenCentral\"\u003e\u003c/a\u003e\n\n```gradle\ndependencies {\n    implementation 'com.github.kevlar-kt:integrity:1.2.0'\n}\n```\n\n\n\n## License\nThis project is licensed under the Apache License, Version 2.0. Please refer to the `LICENSE.md` file inside the Github repository for the full text.\n\n```\nCopyright 2022 Kevlar Contributors\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n   http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkevlar-kt%2Fkevlar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkevlar-kt%2Fkevlar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkevlar-kt%2Fkevlar/lists"}