[PAID] Anti Mod : Detect if app is modded

Nice extension.

Can it protect from apps like Lucky Patcher?

Yeh, since patched / modded apps doesnt have same SHA1 or SHA256

I guess this only works if the modder ( or a potential user who tries to modify ) tries to tamper with AndroidManifest.xml, since they wouldn’t need any signature/modifications of keys whilst doing an ordinary de-compile and re-compile.

Actually, after any edit to apks, signature is modified, let it be even putting a simple file in assets. Upon every single modification in apk, it becomes unsigned

Apktool site

image886×84 19.7 KB

apktool help -advance output

image876×25 4.87 KB

Recompiling using the -c flag will use use the original ones and you don’t have to sign the apk manually later on. Which means someone could potentially change any asset, smali ( java ) or resources without getting caught

I personally used this to avoid the signature change detection that most system apps possess ( atleast commercialized androidx86’s do ). - I was experimenting with system apps btw and most people ( i know ) use the flag if they haven’t touched those files.

I’ve got another question in my head.

So, if they’re smart enough to modify the app, I’m pretty sure atleast some of them would know how to modify smali. They could just tamper with your extension code and inverse the values just so it’d return False instead of True. It just takes an integer level change which ( a single character change ) would defeat the entire selling point of this extension. ( Correct me if I’m wrong )

So, it just feels like. It prevents newbie “modders” who try to do some basic level stuff which doesn’t affect the revenue of the app in any ways , but we don’t know about the people whose modifications affect you

I’m not trying to be rude, I’m curious on how that’d be effective.

PS : I’m not showing something unethical, it’s just a point being proven.

image729×227 24.2 KB

image729×227 24.2 KB

Unfortunately, it doesnt retain your changes, Thats how signature works, if any modification in file, it will become unsigned

Im open to tests obviously if anyone of you wishes to do some

image739×246 19 KB

image742×354 46.7 KB

Also, you can see on AOSP site about signatures

SHA-1 can be penetrated (risky) but SHA-256 is secure from penetration.

Conclusion
Signature / Keystore can’t be recreated, you could do a bit of research on Android Site about signing

Extension is currently proguarded, its source is split in 300 different files (thats how you make modders cry)

And nothing is fully secure, but we can atleast add detection for changes ~

I’m actually interested in doing so ( I’m curious actually ).

What I meant before wasn’t actually recreating or impersonating, I mentioned about re-using the original key ( using the one that it had been built with ).

Honestly, relying on front-end isn’t that great ( especially when you interact with money ). If your platform/app is likely to be hacked or modded. It’s recommended to do some measures and take legal actions.

PS
My bad, I actually searched it up Android’s new scheme has restrictions and it makes those workarounds obsolete. Thanks for letting me know.

https://source.android.com/docs/security/features/apksigning

yeh thats what I meant, thanks for your query, it might cler user doubts

hey dev …any bug ?

No bugs known as of now

I avoid paid extensions because they check every time server-side. Why I avoid paid extention? The reason Low-end devices already have some lag. and sometimes display annoying popup

Uhm, there’s no such thing in the aix from my side, it finds the Signing Certificate on your device only and avoids opening of apk if that’s modified

Here is free alternative with same mechanism

Both aren’t same extension.

Yes… but we can also use this extension to detect that our app is modded or not

No, you can’t.

Yes. I can…

If you cant. It doesnt mean no one can…

Show proof if you can.
Otherwise there is no need to divert the topic.