su-vikas / conbeerlib Goto Github PK

We are using JobScheduler in our app and it seems it's flagged as a container service:

com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService

I know we can add it to the list of appServices but it seems like something that should be ignored by default.

Here:

Since it's running and I didn't add it to appServices, then it falsely thinks we are running a container.

Getting what I think is a false positive with the checkProcMaps method.

It states:

/**
     * /proc/self/maps should not have libraries or APK from other /data/app and /data/data folders,
     * other than the one of the app's.
     * Example:
     * Dr.Clone: /data/app/com.trendmicro.tmas-nX-nxxGWSIQ3FOKGnz-Xbg==/lib/arm/libnativehook.so
     * /data/app/com.trendmicro.tmas-nX-nxxGWSIQ3FOKGnz-Xbg==/lib/arm/libsubstrate.so
     * Parallel Space:
     * /data/app/com.lbe.parallel.intl-bp5H8cQ_sHHz72STgLNWfg==/lib/arm/libdaclient_64.so
     *
     * @return True, if virtual container detected
     */

I added this log:

// Check paths does not contain files from other /data/data and /data/app locations
                for (String p : paths) {
                    if (p.startsWith("/data/app") || p.startsWith("/data/data")) {
                        if (!p.contains(packageName)) {
                            Log.d("MK", "XXX PROC: " + p);
                            isContainer = true;
                            break;
                        }
                    }
                }

However when I run the check at startup for our app, its saying its running in a container because this file exists:

2021-06-15 08:58:01.258 D/MK: XXX PROC: /data/app/com.google.android.gms-prf32SOG9-vEd5NdflrfHA==/split_config.en.apk

Interestingly it only seems to happen every other app load as well, not every time.

We use the AAB format and have a split APK, so it looks like that's not supported perhaps?

https://developer.android.com/guide/app-bundle

https://github.com/su-vikas/conbeerlib/blob/master/conbeerlib/src/main/java/com/suvikas/conbeer/ConBeer.java#L401

intent.setPackage("com.container.com.suvikas.conware");

This is the package you use when attempting to start the broadcast receiver. Is this a typo or correct? Does it have something to do with running in a container?

(Usually optional) Set an explicit application package name that limits the components this Intent will resolve to. If left to the default value of null, all components in all applications will considered. If non-null, the Intent can only match the components in the given application package.

It seems from the code, you want this broadcast to be received and that's how you show it's not a container. But with the above package name, isn't it always going to fail? (and thus think it's a container when its not)

checkProcMaps: Suspicious file: /data/app/org.meowcat.edxposed.manager-qkLtyHZpTcGEgfFOW6B7BA==/base.apk]
is tagged as a virtual container

Pre-context:
I have Island app installed as a work profile

I have a sample app in which I tried to follow your lib checks reports its running in a container( its currently installed in my regular user space)

The checks return true when I have a virtualized guest app variant of my sample in the work profile.

is there some details on how this is calculated wrt to proc maps
given my check is from the host machine and not the virtual container it should be false
But it picks up on EdXposed installed

tried Parallel space as well , due to rooted device and xposed installed, this check as a signal is always true
any piece of advice
My goal is to detect my sensitive app when it runs in the wild running on emulators/virtual containers

https://github.com/su-vikas/conbeerlib/blob/master/conbeerlib/src/main/AndroidManifest.xml#L8

https://github.com/su-vikas/conbeerlib/blob/master/conbeerlib/src/main/java/com/suvikas/conbeer/ConBeer.java#L400-L417

The code above will always return true for isContainer because the BroadcastReceiver in the Manifest is disabled.

or am I missing something?