Using safe to run to secure your Android apps from URL vulnerabilities

For full documentation on safe to run URL validation:

Risks & Mitigations

The risk from URLs are often subtle and hard to conclusively solve — the risks are prevalent any time that web connections or web pages are loaded from a source outside of your control. Let’s look at a few examples

A particularly nasty problem can arise when you are exposing native code through javascript bridges. …

When trying to attack an android application, attackers often try to circumvent some of the protections you’ve introduced into your app. For example, you might have a signature check added in order to prevent attackers from adding malware into your app and republishing it:

They might also reverse your app to remove any root protection / detection you’ve added:

Or they might try to remove any other checks you have added, for example, checks to stop it running on an emulator:

In order to make this harder, we can implement these checks using the inline keyword in…

What, why and how?


Emulator detection is the ability to tell when your application is running on an emulator rather than a real device, but why would you want to do this?


Reverse engineers, pentesters and hackers tend to like running your app on an emulator can be make it far easier reveal what your application is doing. A somewhat convoluted example is looking at an application’s files in their private directory. For example:

In that case, we can see that by preventing our app running on an emulated device, it can make it more difficult for a penetration tester to observe our application.


Introducing the first release of safe to run — a library to help protect your application

If you’re just after the link:

No library or app can guarantee not running on a rooted phone because of the nature of rooted phones, and any tamper detection could be removed or changed in reality — this app should work with most attackers, and make it hard enough to make it not worth it for many others.

The library is intended to provide a layer of security for Android applications from rooted phones, reverse engineering, binary modification, malicious apps and some security vulnerabilities.

In principle, you set the parameters for a safe device, (one where the debugger is not…

What we’re going to build

I’m going to demonstrate a fairly simple screen, built up of common components in jetpack compose and swift UI and backed by models written in kotlin multiplatform. Over the course of several articles, I’ll build up our application to cover database storage and retrieval, an idea of how dependencies can be resolved, using MVI for a formal architecture and how we can handle navigation.

Our first app though, is going to be a simple list — with data coming from a kotlin multiplatform “view model”. The UI will be swift UI for iOS and Jetpack compose for Android.


(Use the…

I’ve been writing an app recently in using the kotlin multiplatform mobile plugin, with an mvi architecture, swift ui for the iOS ui and compose for the android. Right from the start I’ve focused on doing as much of the coding in kotlin mpp as I reasonably can and in this article I’m going to talk about my general approach and the libraries I’ve used.

The easiest part to implement has actually been the database part. Rather than a traditional orm I’ve been using SQL delight, which takes the opposite approach — in a traditional orm SQL is generated from…

The first flutter byteconf started today with three workshops. Here’s what I learnt

I was excited about ByteConf flutter for a while, and the first three workshops had some great bits in it. I’ve been working on professional flutter projects for just over a year now, but the pace of change in Flutter land and the project deadlines means a lot of things other people are doing pass me by. Sitting down to watch these presentations, here are some of the things I learnt that I didn’t know before — some relevant to the core presentation, others that I just didn’t know. …

Getting started

When developing flutter apps, we’re forced to learn two different platforms and their security (and more for desktop and web) as well as the dart and flutter ecosystem itself. To help get started, here are a few steps and libraries we can take to secure our flutter applications.

Both Android and iOS have the concept of a ‘sandbox’ i.e. a directory on disk which cannot be read by any other application save your own, this directory can be retrieved using the Path provider library

Directory appDocDir = await getApplicationDocumentsDirectory();
String appDocPath = appDocDir.path;

Files placed in this directory are stored…

Here’s how to follow best practice

There are many implementations of oauth on Android that do not follow the recommendations set out in rfc8252 ( , and sadly they appear in the top results on stack overflow more often than the correct implementations. Even people who ought to know better will implement or recommend a less secure solution. It’s no wonder then that M4: Insecure Authentiation remains one of the top 10 mobile risks according to OWASP (

If you’re an Android developer, and you have or will in future conceivably login with an oauth provider — please read this article. If you’re the kind of…

One tap is goggles newest cross platform identity service and its implementation is very neat for a user

Our aim will be to setup OneTap for Android and verify the user with a micronaut backend.

Account setup

First head here to create or configure an existing project

Daniel Llewellyn

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store