They're already barely possible as it is.

For frida to work you need to root the device, which is impossible on ever more models, and there's an endless supply of very good rooting detection SDKs on the market, not to mention Play Integrity.

▲

pimterry 18 hours ago | parent | next [-]

> For frida to work you need to root the device, which is impossible on ever more models

There's plenty of physical devices where it is possible, and Google publish official emulator images with root access for every Android version released to date. This part is still OK.

> there's an endless supply of very good rooting detection SDKs on the market, not to mention Play Integrity

Most of the root detection is beatable with Frida etc, mostly.

Play Integrity & attestation (roughly: 'trusted computing' on your phone, which signs messages as 'from an unmodified certified device' in a way that the server can verify, to only allow connections from known-good devices) is a much larger problem. Best hope here is that a) it creates much work for most apps to bother and b) it eventually gets restricted as anti-competitive. It's literally them charging & setting rules on their competitors for how they get a certificate which allows phones they make to function with all the Android apps on the market, and pushing app makers to restrict their apps to not work on phones from competitors who don't play ball, so I don't think anti-competition pushback here is that implausible medium term.

	▲	mschuster91 16 hours ago \| parent [-]
		> There's plenty of physical devices where it is possible Yup, but say Samsung, kiss KNOX goodbye. Fused off once you flash a non-Samsung image. > and Google publish official emulator images with root access for every Android version released to date. This part is still OK. Many apps will straight refuse to run in emulators unless you're lucky to snag a debug build that accidentally got pushed to production. > Most of the root detection is beatable with Frida etc, mostly. It's a cat and mouse game and frankly, I'm sick of it - and especially about the fact that it's either "accept that you'll need to wait X weeks until <Magisk plugin> gets an update" or "install some unofficial closed source fork that may or may not be laced with malware". > Best hope here is that a) it creates much work for most apps to bother and b) it eventually gets restricted as anti-competitive. Rooting detection used to be too much work, then SDKs cropped up that made it very easy, and that will be the case for remote-verifiable hardware attestation. And restrictions from anti-trust? No way that will happen in the next three years in the US, and here in the EU it takes about 5-10 years until our parliament finally gets to work after a problem gets too much attention for their lazy asses to ignore. And even then, the lobby from banks, game studios ("them cheaters!!!" in f2p scam games) and other influential lobbyists will likely prevent any serious action.

▲

crowfunder 19 hours ago | parent | prev [-]

As far as I'm aware it is possible to use Frida without rooting, by using Objection https://github.com/sensepost/objection

▲

bri3d 19 hours ago | parent [-]

> Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself.

This is the key thing, and the part that will change next year: previously, you could unpack, patch, and repack an APK with the Frida gadget and install it onto an Android device in Developer mode, while the device remained in a "Production" state (with only Developer mode enabled, and no root). Now, the device would either need to be removed from the Android Certified state (unlocked/rooted) or you would need to sign the application with your own Developer Console account and install it on your own device, like the way iOS has worked for years.

▲

crowfunder 19 hours ago | parent [-]

Wow that's horrifying. I guess apk modding era is over for most users.

	▲	sureglymop 18 hours ago \| parent [-]
		Not yet. If I recall correctly only very few countries affected in the beginning.