android-sdd 1.0.0

package/skills/Security/Encrypted Storage/SKILL.md

@@ -0,0 +1,273 @@
+---
+name: encrypted-storage
+description: >
+  Encrypted local storage for Android apps.
+  Load this skill when storing sensitive data (tokens, user credentials,
+  personal info) locally, using EncryptedSharedPreferences, EncryptedFile,
+  or integrating encryption with DataStore or Room.
+---
+
+# Encrypted Storage
+
+## Overview
+Encrypted Storage protects sensitive data at rest on the device. Android provides `EncryptedSharedPreferences` and `EncryptedFile` via the Security library, both backed by the Android Keystore. For DataStore and Room, encryption is applied at the file or database level.
+
+---
+
+## Core Principles
+
+- **Never store sensitive data in plain SharedPreferences or files**
+- Use **Android Keystore** as the key provider — keys never leave the secure hardware
+- **EncryptedSharedPreferences** for key-value sensitive data (tokens, settings)
+- **EncryptedFile** for sensitive file content
+- **SQLCipher** for encrypted Room databases
+- Encryption keys are **generated once and stored in Keystore** — never hardcoded
+
+---
+
+## EncryptedSharedPreferences
+
+```kotlin
+// ✅ Create encrypted SharedPreferences
+fun createEncryptedPreferences(context: Context): SharedPreferences {
+    val masterKey = MasterKey.Builder(context)
+        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+        .build()
+
+    return EncryptedSharedPreferences.create(
+        context,
+        "secure_prefs",                                      // file name
+        masterKey,
+        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
+    )
+}
+
+// ✅ Wrapper for type-safe access
+class SecurePreferences @Inject constructor(
+    @ApplicationContext context: Context
+) {
+    private val prefs = createEncryptedPreferences(context)
+
+    var authToken: String?
+        get() = prefs.getString(KEY_AUTH_TOKEN, null)
+        set(value) = prefs.edit {
+            if (value != null) putString(KEY_AUTH_TOKEN, value)
+            else remove(KEY_AUTH_TOKEN)
+        }
+
+    var refreshToken: String?
+        get() = prefs.getString(KEY_REFRESH_TOKEN, null)
+        set(value) = prefs.edit {
+            if (value != null) putString(KEY_REFRESH_TOKEN, value)
+            else remove(KEY_REFRESH_TOKEN)
+        }
+
+    fun clearAll() = prefs.edit { clear() }
+
+    companion object {
+        private const val KEY_AUTH_TOKEN = "auth_token"
+        private const val KEY_REFRESH_TOKEN = "refresh_token"
+    }
+}
+```
+
+---
+
+## EncryptedFile
+
+```kotlin
+// ✅ Write encrypted file
+fun writeEncryptedFile(context: Context, fileName: String, content: ByteArray) {
+    val masterKey = MasterKey.Builder(context)
+        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+        .build()
+
+    val file = File(context.filesDir, fileName)
+    if (file.exists()) file.delete()   // EncryptedFile cannot overwrite
+
+    val encryptedFile = EncryptedFile.Builder(
+        context,
+        file,
+        masterKey,
+        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
+    ).build()
+
+    encryptedFile.openFileOutput().use { output ->
+        output.write(content)
+    }
+}
+
+// ✅ Read encrypted file
+fun readEncryptedFile(context: Context, fileName: String): ByteArray {
+    val masterKey = MasterKey.Builder(context)
+        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+        .build()
+
+    val file = File(context.filesDir, fileName)
+    val encryptedFile = EncryptedFile.Builder(
+        context,
+        file,
+        masterKey,
+        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
+    ).build()
+
+    return encryptedFile.openFileInput().use { it.readBytes() }
+}
+```
+
+---
+
+## Encrypted DataStore
+
+```kotlin
+// ✅ Encrypt DataStore using EncryptedFile as backing storage
+// Add dependency: androidx.security:security-crypto-ktx
+
+fun createEncryptedDataStore(context: Context): DataStore<Preferences> {
+    val masterKey = MasterKey.Builder(context)
+        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+        .build()
+
+    return PreferenceDataStoreFactory.createWithPath(
+        produceFile = {
+            val file = File(context.filesDir, "secure_datastore.preferences_pb")
+            // For true file-level encryption, wrap with EncryptedFile
+            file.toOkioPath()
+        }
+    )
+}
+
+// ✅ Simpler: use Tink-based DataStore encryption
+// (preferred for production)
+class EncryptedDataStoreManager @Inject constructor(
+    private val dataStore: DataStore<Preferences>
+) {
+    private val TOKEN_KEY = stringPreferencesKey("auth_token")
+    private val USER_ID_KEY = stringPreferencesKey("user_id")
+
+    val authToken: Flow<String?> = dataStore.data
+        .catch { if (it is IOException) emit(emptyPreferences()) else throw it }
+        .map { it[TOKEN_KEY] }
+
+    suspend fun saveAuthToken(token: String) {
+        dataStore.edit { it[TOKEN_KEY] = token }
+    }
+
+    suspend fun clearAuth() {
+        dataStore.edit {
+            it.remove(TOKEN_KEY)
+            it.remove(USER_ID_KEY)
+        }
+    }
+}
+```
+
+---
+
+## Encrypted Room (SQLCipher)
+
+```kotlin
+// ✅ SQLCipher for encrypted Room database
+// dependency: net.zetetic:android-database-sqlcipher
+// dependency: androidx.sqlite:sqlite-ktx
+
+@Database(entities = [...], version = 1)
+abstract class SecureDatabase : RoomDatabase() {
+    abstract fun sensitiveDataDao(): SensitiveDataDao
+}
+
+fun buildSecureDatabase(context: Context, passphrase: ByteArray): SecureDatabase {
+    val factory = SupportFactory(passphrase)
+    return Room.databaseBuilder(context, SecureDatabase::class.java, "secure.db")
+        .openHelperFactory(factory)
+        .build()
+}
+
+// ✅ Derive passphrase from Keystore-backed key
+class DatabaseKeyProvider @Inject constructor(
+    @ApplicationContext private val context: Context
+) {
+    fun getPassphrase(): ByteArray {
+        val keyAlias = "db_key"
+        val keyStore = KeyStore.getInstance("AndroidKeyStore").also { it.load(null) }
+
+        if (!keyStore.containsAlias(keyAlias)) {
+            val keyGenerator = KeyGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"
+            )
+            keyGenerator.init(
+                KeyGenParameterSpec.Builder(
+                    keyAlias,
+                    KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+                )
+                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+                    .setKeySize(256)
+                    .build()
+            )
+            keyGenerator.generateKey()
+        }
+
+        // Derive a stable passphrase from the key
+        val key = keyStore.getKey(keyAlias, null) as SecretKey
+        return key.encoded ?: ByteArray(32).also { SecureRandom().nextBytes(it) }
+    }
+}
+```
+
+---
+
+## Hilt Setup
+
+```kotlin
+@Module
+@InstallIn(SingletonComponent::class)
+object StorageModule {
+
+    @Provides
+    @Singleton
+    fun provideSecurePreferences(
+        @ApplicationContext context: Context
+    ): SecurePreferences = SecurePreferences(context)
+
+    @Provides
+    @Singleton
+    fun provideSecureDatabase(
+        @ApplicationContext context: Context,
+        keyProvider: DatabaseKeyProvider
+    ): SecureDatabase = buildSecureDatabase(context, keyProvider.getPassphrase())
+}
+```
+
+---
+
+## What to Encrypt
+
+| Data | Storage | Encrypted? |
+|---|---|---|
+| Auth token / refresh token | EncryptedSharedPreferences | ✅ Always |
+| User PII (name, email, phone) | Encrypted Room / SQLCipher | ✅ Always |
+| Payment data | Encrypted Room | ✅ Always |
+| App preferences (theme, language) | Regular DataStore | ❌ Not needed |
+| Cached images | File cache | ❌ Usually not needed |
+| Health/medical data | Encrypted Room | ✅ Always |
+
+---
+
+## Anti-Patterns
+
+- Storing tokens in plain `SharedPreferences` — readable by rooted devices and backup extraction
+- Hardcoding encryption keys in source code — use Android Keystore
+- Storing the encryption key alongside the encrypted data — defeats the purpose
+- Using `MODE_WORLD_READABLE` or `MODE_WORLD_WRITEABLE` for any file
+- Encrypting non-sensitive data — unnecessary overhead; encrypt only what needs protection
+
+---
+
+## Related Skills
+- `keystore` — Android Keystore key generation and management
+- `datastore` — DataStore patterns
+- `room` — Room database setup
+- `encrypted-database` — full SQLCipher Room setup
+- `secure-networking` — protecting data in transit

package/skills/Security/Frida Detection/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: frida-detection
+description: >
+  Frida dynamic instrumentation detection for Android apps.
+  Load this skill when detecting Frida gadget injection, Frida server
+  presence, or dynamic instrumentation attempts targeting the app at runtime.
+---
+
+# Frida Detection
+
+## Overview
+Frida is a dynamic instrumentation toolkit widely used by security researchers and attackers to hook functions, inspect memory, and bypass security checks at runtime. Unlike Xposed (which requires a framework installed on the device), Frida can be injected into a process dynamically. Detecting it requires checking for its artifacts at multiple levels.
+
+---
+
+## Core Principles
+
+- **Frida leaves multiple traces** — process maps, port, libraries, named pipes
+- **Check at multiple points** — startup and before sensitive operations
+- **Frida can hide itself** — combine with server-side integrity (Play Integrity API)
+- **Native checks are harder to bypass** — JNI-based detection is more resilient than Java
+- **No detection is perfect** — the goal is to raise the cost of attack
+
+---
+
+## Java-Level Detection
+
+```kotlin
+class FridaDetector @Inject constructor() {
+
+    data class FridaCheckResult(
+        val isDetected: Boolean,
+        val signals: List<String>
+    )
+
+    fun check(): FridaCheckResult {
+        val signals = mutableListOf<String>()
+
+        if (checkFridaServer()) signals.add("frida_server_port")
+        if (checkFridaFiles()) signals.add("frida_files")
+        if (checkProcessMaps()) signals.add("frida_in_maps")
+        if (checkFridaNamedPipes()) signals.add("frida_named_pipes")
+        if (checkFridaLibraries()) signals.add("frida_libraries")
+
+        return FridaCheckResult(
+            isDetected = signals.isNotEmpty(),
+            signals = signals
+        )
+    }
+
+    // ✅ Check if Frida server is listening on its default port (27042)
+    private fun checkFridaServer(): Boolean {
+        return try {
+            Socket().use { socket ->
+                socket.connect(InetSocketAddress("127.0.0.1", 27042), 100)
+                true   // connection succeeded — Frida server likely running
+            }
+        } catch (e: Exception) {
+            false
+        }
+    }
+
+    // ✅ Check for Frida-related files
+    private fun checkFridaFiles(): Boolean {
+        val fridaPaths = listOf(
+            "/data/local/tmp/frida-server",
+            "/data/local/tmp/frida",
+            "/sdcard/frida-server",
+            "/system/bin/frida-server"
+        )
+        return fridaPaths.any { File(it).exists() }
+    }
+
+    // ✅ Check /proc/self/maps for Frida agent
+    private fun checkProcessMaps(): Boolean {
+        return try {
+            File("/proc/self/maps").readLines().any { line ->
+                line.contains("frida", ignoreCase = true) ||
+                line.contains("gum-js-loop", ignoreCase = true) ||
+                line.contains("gmain", ignoreCase = true) ||
+                line.contains("linjector", ignoreCase = true)
+            }
+        } catch (e: Exception) {
+            false
+        }
+    }
+
+    // ✅ Check for Frida named pipes in /proc/self/fd
+    private fun checkFridaNamedPipes(): Boolean {
+        return try {
+            val fdDir = File("/proc/self/fd")
+            fdDir.listFiles()?.any { fd ->
+                try {
+                    val link = fd.canonicalPath
+                    link.contains("frida", ignoreCase = true) ||
+                    link.contains("linjector", ignoreCase = true)
+                } catch (e: Exception) {
+                    false
+                }
+            } ?: false
+        } catch (e: Exception) {
+            false
+        }
+    }
+
+    // ✅ Check loaded libraries for Frida signature
+    private fun checkFridaLibraries(): Boolean {
+        return try {
+            File("/proc/self/maps").readLines().any { line ->
+                line.contains("frida-agent", ignoreCase = true) ||
+                line.contains("frida-gadget", ignoreCase = true)
+            }
+        } catch (e: Exception) {
+            false
+        }
+    }
+}
+```
+
+---
+
+## Native Detection (JNI — More Resilient)
+
+```c
+// ✅ native-lib.cpp — harder to hook than Java methods
+#include <jni.h>
+#include <string>
+#include <fstream>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+extern "C" JNIEXPORT jboolean JNICALL
+Java_com_example_app_security_FridaDetectorNative_checkFridaPort(JNIEnv*, jobject) {
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) return JNI_FALSE;
+
+    struct sockaddr_in addr{};
+    addr.sin_family = AF_INET;
+    addr.sin_port = htons(27042);
+    inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr);
+
+    struct timeval tv{};
+    tv.tv_sec = 0;
+    tv.tv_usec = 100000;  // 100ms timeout
+    setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+    setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
+
+    bool detected = connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0;
+    close(sock);
+    return detected ? JNI_TRUE : JNI_FALSE;
+}
+
+extern "C" JNIEXPORT jboolean JNICALL
+Java_com_example_app_security_FridaDetectorNative_checkProcessMaps(JNIEnv*, jobject) {
+    std::ifstream maps("/proc/self/maps");
+    std::string line;
+    while (std::getline(maps, line)) {
+        if (line.find("frida") != std::string::npos ||
+            line.find("gum-js-loop") != std::string::npos ||
+            line.find("frida-agent") != std::string::npos) {
+            return JNI_TRUE;
+        }
+    }
+    return JNI_FALSE;
+}
+```
+
+```kotlin
+// ✅ Kotlin wrapper for native checks
+class FridaDetectorNative {
+    external fun checkFridaPort(): Boolean
+    external fun checkProcessMaps(): Boolean
+
+    companion object {
+        init { System.loadLibrary("native-lib") }
+    }
+}
+```
+
+---
+
+## Combined Security Check
+
+```kotlin
+// ✅ Unified check combining all detectors
+class AppSecurityChecker @Inject constructor(
+    private val fridaDetector: FridaDetector,
+    private val hookDetector: HookDetector,
+    private val rootDetector: RootDetector
+) {
+    data class SecurityReport(
+        val passed: Boolean,
+        val threats: List<String>
+    )
+
+    suspend fun runChecks(): SecurityReport = withContext(Dispatchers.IO) {
+        val threats = mutableListOf<String>()
+
+        val frida = fridaDetector.check()
+        val hooks = hookDetector.check()
+        val root = rootDetector.check()
+
+        if (frida.isDetected) threats.addAll(frida.signals.map { "frida:$it" })
+        if (hooks.isHooked)   threats.addAll(hooks.signals.map { "hook:$it" })
+        if (root.isRooted)    threats.addAll(root.signals.map { "root:$it" })
+
+        SecurityReport(passed = threats.isEmpty(), threats = threats)
+    }
+}
+```
+
+---
+
+## Anti-Patterns
+
+- Only checking port 27042 — Frida server can be configured to use any port
+- Java-only detection — Frida can hook Java methods; native checks are more reliable
+- Checking only at startup — Frida can be attached after the app starts
+- Crashing the app on detection without explanation — show a clear message
+- No server-side corroboration — client detection alone is bypassable
+
+---
+
+## Related Skills
+- `hook-detection` — Xposed/LSPosed framework detection
+- `root-detection` — rooted device detection
+- `reverse-engineering-resistance` — broader anti-tampering strategy
+- `obfuscation` — obfuscating detection logic

package/skills/Security/Hook Detection/SKILL.md

@@ -0,0 +1,197 @@
+---
+name: hook-detection
+description: >
+  Runtime hook detection for Android apps.
+  Load this skill when detecting Xposed framework, LSPosed, or other
+  hooking frameworks that intercept method calls, alter app behavior,
+  or bypass security checks at runtime.
+---
+
+# Hook Detection
+
+## Overview
+Hooking frameworks like Xposed and LSPosed allow attackers to intercept and modify method calls at runtime — bypassing authentication, logging sensitive data, or altering app behavior. Hook detection identifies the presence of these frameworks before they can tamper with critical operations.
+
+---
+
+## Core Principles
+
+- **Detect early** — check before any sensitive operation, not just at startup
+- **Multiple signals** — Xposed/LSPosed can hide some traces but rarely all
+- **Combine with root detection** — hooking frameworks typically require root
+- **Server-side validation** — client-side detection can be bypassed; pair with Play Integrity
+- **Fail-secure** — block sensitive operations if hooks are detected
+
+---
+
+## Xposed / LSPosed Detection
+
+```kotlin
+class HookDetector @Inject constructor(
+    @ApplicationContext private val context: Context
+) {
+    data class HookCheckResult(
+        val isHooked: Boolean,
+        val signals: List<String>
+    )
+
+    fun check(): HookCheckResult {
+        val signals = mutableListOf<String>()
+
+        if (checkXposedInstaller()) signals.add("xposed_installer")
+        if (checkXposedBridge()) signals.add("xposed_bridge")
+        if (checkStackTrace()) signals.add("xposed_stack_trace")
+        if (checkXposedFiles()) signals.add("xposed_files")
+        if (checkLoadedModules()) signals.add("loaded_modules")
+
+        return HookCheckResult(
+            isHooked = signals.isNotEmpty(),
+            signals = signals
+        )
+    }
+
+    // ✅ Check for Xposed installer apps
+    private fun checkXposedInstaller(): Boolean {
+        val xposedPackages = listOf(
+            "de.robv.android.xposed.installer",
+            "org.meowcat.edxposed.manager",
+            "io.github.lsposed.manager",
+            "com.android.xposed"
+        )
+        return xposedPackages.any { pkg ->
+            try {
+                context.packageManager.getPackageInfo(pkg, 0)
+                true
+            } catch (e: PackageManager.NameNotFoundException) {
+                false
+            }
+        }
+    }
+
+    // ✅ Check if XposedBridge class is loadable
+    private fun checkXposedBridge(): Boolean {
+        return try {
+            Class.forName("de.robv.android.xposed.XposedBridge")
+            true
+        } catch (e: ClassNotFoundException) {
+            false
+        }
+    }
+
+    // ✅ Check stack trace for Xposed method wrappers
+    private fun checkStackTrace(): Boolean {
+        return try {
+            throw Exception("stack_check")
+        } catch (e: Exception) {
+            val stackTrace = e.stackTrace.joinToString { it.className }
+            stackTrace.contains("XposedBridge") ||
+            stackTrace.contains("de.robv.android.xposed")
+        }
+    }
+
+    // ✅ Check for Xposed-related files on disk
+    private fun checkXposedFiles(): Boolean {
+        val xposedFiles = listOf(
+            "/system/lib/libxposed_art.so",
+            "/system/lib64/libxposed_art.so",
+            "/system/xposed.prop",
+            "/data/data/de.robv.android.xposed.installer"
+        )
+        return xposedFiles.any { File(it).exists() }
+    }
+
+    // ✅ Check loaded libraries for hooking framework signatures
+    private fun checkLoadedModules(): Boolean {
+        return try {
+            val mapsFile = File("/proc/self/maps")
+            mapsFile.readLines().any { line ->
+                line.contains("XposedBridge") ||
+                line.contains("libxposed") ||
+                line.contains("edxp") ||
+                line.contains("lspd")
+            }
+        } catch (e: Exception) {
+            false
+        }
+    }
+}
+```
+
+---
+
+## Runtime Integrity Check
+
+```kotlin
+// ✅ Verify critical method hasn't been hooked by checking its declaring class
+fun isMethodHooked(methodName: String, clazz: Class<*>): Boolean {
+    return try {
+        val method = clazz.getDeclaredMethod(methodName)
+        // If method is hooked, its class will be XposedBridge's handler class
+        method.declaringClass != clazz
+    } catch (e: Exception) {
+        false
+    }
+}
+
+// ✅ Self-check on a known method
+fun checkOwnMethodIntegrity(): Boolean {
+    return try {
+        val method = MySecurityClass::class.java.getDeclaredMethod("checkOwnMethodIntegrity")
+        method.declaringClass == MySecurityClass::class.java
+    } catch (e: Exception) {
+        false
+    }
+}
+```
+
+---
+
+## Response Strategy
+
+```kotlin
+@HiltViewModel
+class SecurityViewModel @Inject constructor(
+    private val hookDetector: HookDetector,
+    private val rootDetector: RootDetector
+) : ViewModel() {
+
+    val securityStatus: StateFlow<SecurityStatus> = flow {
+        val hookResult = hookDetector.check()
+        val rootResult = rootDetector.check()
+
+        emit(SecurityStatus(
+            isHooked = hookResult.isHooked,
+            isRooted = rootResult.isRooted,
+            hookSignals = hookResult.signals,
+            rootSignals = rootResult.signals
+        ))
+    }.stateIn(viewModelScope, SharingStarted.Eagerly, SecurityStatus())
+}
+
+data class SecurityStatus(
+    val isHooked: Boolean = false,
+    val isRooted: Boolean = false,
+    val hookSignals: List<String> = emptyList(),
+    val rootSignals: List<String> = emptyList()
+) {
+    val isCompromised: Boolean get() = isHooked || isRooted
+}
+```
+
+---
+
+## Anti-Patterns
+
+- Only checking for Xposed installer — LSPosed and EdXposed use different package names
+- Not checking at runtime before sensitive ops — startup-only check can be bypassed
+- Crashing without explanation — show a clear message before blocking
+- Trusting client-side detection alone — combine with Play Integrity API for server validation
+- Storing detection result in a predictable variable — hooked code can modify it
+
+---
+
+## Related Skills
+- `frida-detection` — Frida-specific detection
+- `root-detection` — detecting rooted devices
+- `reverse-engineering-resistance` — broader anti-tampering measures
+- `obfuscation` — making detection logic harder to analyze