DeviceIntegrity: RASP, Play Integrity / App Attest, accessibility-service guard#5277
Merged
Conversation
… guard Adds a portable device-integrity / runtime self-protection (RASP) API plus build hints, implemented in the core framework (no cn1lib, no native interfaces). Targets high-security apps that must react to a hostile runtime. New core API com.codename1.security.DeviceIntegrity: - requestIntegrityToken(nonce): server-verifiable attestation token (Google Play Integrity on Android, Apple App Attest on iOS) for gating sensitive actions such as transfers from a compromised device. - isDeviceCompromised() / getCompromiseReasons(): non-exiting RASP report (root/jailbreak/Frida/emulator) for granular runtime decisions. - getEnabledAccessibilityServices() / hasUntrustedAccessibilityService(...): detect malware abusing Android accessibility services. - setSecureScreen(bool): Android FLAG_SECURE for sensitive screens. Surfaced through Display, defaulting to "unsupported" in CodenameOneImplementation; implemented in the Android port (Play Integrity / RootBeer via reflection to keep the port dependency-free) and the iOS port (App Attest via DeviceCheck, gated behind CN1_USE_APP_ATTEST). Build-hint wiring (mirrored in the local maven-plugin builders; the cloud BuildDaemon is updated separately): android.playIntegrity(+.verifyUrl), ios.appAttest(+.environment), android.accessibilityGuard(+.allow,+.mode). Docs: new "Device integrity, RASP & attestation" section in the developer guide security chapter. Tests: DeviceIntegrityTest covers the accessibility allow-list evaluation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
Developer Guide build artifacts are available for download from this workflow run:
Developer Guide quality checks: |
Collaborator
Author
|
Compared 136 screenshots: 136 matched. Native Android coverage
✅ Native Android screenshot tests passed. Native Android coverage
Benchmark ResultsDetailed Performance Metrics
|
Contributor
Cloudflare Preview
|
Collaborator
Author
|
Compared 128 screenshots: 128 matched. |
- IOSNative.m: include com_codename1_impl_ios_IOSDeviceIntegrity.h so the App Attest native callbacks are declared (fixes the undeclared-function error that broke all iOS/mac/packaging builds). - DeviceIntegrity: make the class final and use foreach loops (PMD). - security.asciidoc: satisfy the Vale Microsoft style (contractions, "for example" instead of "e.g.", drop the flagged adverb, backtick `su`). - languagetool-accept.txt: accept the new security/RASP vocabulary (RASP, MTD, RootBeer, Magisk, Cydia, MobileSubstrate, FridaGadget, dylibs, Zimperium, Promon, DeviceCheck). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Compared 133 screenshots: 133 matched. |
Collaborator
Author
|
Compared 211 screenshots: 211 matched. |
Core src is checkstyle-gated (WhitespaceAfter); use 'if ('/'for (' to match
house style. Verified 0 violations locally with checkstyle 9.3 + the project
config.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Compared 135 screenshots: 135 matched. Benchmark Results
Build and Run Timing
Detailed Performance Metrics
|
8.0 is not a released tag (the line is at 8.0.83) and the markdown '#### Since' form carries no @SInCE token, so check-since-tags never validated it. New classes (e.g. Biometrics) omit the since marker; do the same rather than invent a version.
Collaborator
Author
|
Compared 134 screenshots: 134 matched. Benchmark Results
Detailed Performance Metrics
|
Contributor
✅ Continuous Quality ReportTest & Coverage
Static Analysis
Generated automatically by the PR CI workflow. |
Collaborator
Author
|
Compared 131 screenshots: 131 matched. Benchmark Results
Build and Run Timing
Detailed Performance Metrics
|
OrientationLockScreenshotTest waited only 2.5s for the simulator to rotate to landscape, then captured whatever orientation it was in. On starved CI runners the rotation+layout takes longer, so it snapped the still-portrait frame and labelled it 'landscape' -> guaranteed mismatch vs the landscape reference. This is the ~50% 'landscape' flake seen on master's build-ios / build-ios-metal jobs (e.g. CN1SS warned the landscape capture was a duplicate of the portrait/DesktopMode image). Raise the orientation poll budget from 2.5s to 8s (still well under the 30s native test timeout) so the capture waits for the rotation to actually land. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Compared 134 screenshots: 134 matched. |
Collaborator
Author
|
Compared 134 screenshots: 134 matched. |
Collaborator
Author
|
Compared 132 screenshots: 132 matched. Benchmark ResultsDetailed Performance Metrics
|
The web-map test waited a fixed 8s for the Google Maps JS to load tiles before capturing. On a starved CI runner (88s simulator boot, 450s suite execution) the live map had not painted a single tile in 8s, so the test captured a blank grey page -> ~66% mismatch vs the baseline (well past the 35% live-noise tolerance), which the test correctly rejects as a blank map. build-ios-metal got a healthier runner and the same test passed. Raise the pre-capture load wait from 8s to 22s (still under the 30s native test timeout) so slow runners have time to actually render the map. Same class of capture-before-async-content-ready flake as the landscape fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
shai-almog
added a commit
that referenced
this pull request
Jun 26, 2026
…s, integrity) (#5289) * Blog: weekly release series (analytics, maps, TV, editors, integrity) Adds the weekly release blog series for the 2026-06-26 cycle: a parent roundup framed around funding open source without the "bait and switch" (GPL+CE + optional SPI-backed paid services), plus five feature follow-ups. Posts (docs/website/content/blog): - funding-open-source-without-the-bait-and-switch (parent, Fri) - vector-and-native-maps (Sat) - PR #5264 - rich-text-and-code-editing (Sun) - PR #5272 - privacy-first-analytics (Mon) - PR #5266 - apple-tv-and-android-tv (Tue) - PR #5261 - device-integrity-and-app-review (Wed) - PRs #5277 / #5268 Thursday's Game Builder tutorial 2 already exists and is linked. Each post carries a generated hero image, real in-body screenshots (maps, editors, app-review widget, a 4K Apple TV ChatView render) and/or a mermaid diagram. All code samples were verified against the merged source APIs (MapView/MapStyle, the Analytics SPI + consent gate, CodeEditor/RichTextArea, DeviceIntegrity, AppReview) and the CSS uses the real @media device-tv / device-watch syntax. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Blog: fix prose-gate findings (accept-list, vocab, typography, sentence starts) Resolve the 30 net-new blog-prose-gate findings: - LanguageTool accept-list: leanback, Classpath, relicense, forkable, kotlin, dogfood - Vale CodenameOne vocab: facade (suppresses proselint.Diacritical) - mermaid node labels read as prose, so Analytics.event(...) -> event() - reword four parent sentences that began with a {{< post-link >}} shortcode (stripped before lint -> lowercase sentence start) - Oxford comma, 320x180 -> 320x180 (x sign), 'and so on' -> 'among others', 'to snapshot' reworded Vale runs clean (0 findings) locally on all six posts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Blog: revise series per review feedback Parent: fix the 'every service ships behind an SPI' claim (services are optional, we win on integration depth, e.g. crash protection via the build servers); correct the 'We Will Not Sabotage Your Code' callback (weeks, not years); drop 'genuinely/honest'; note analytics is included down to the basic tier with data retention as the gate; non-Google-Play maps differentiator; banking-customer hardening for DeviceIntegrity; respectful TeaVM/JS-port wording, drop undocumented 'local-javascript', JS port now aligned and in final production-ready stages; 'feature deep-dives' instead of links 'going live'; comments-below for feedback. Analytics: add the first-party backend section with two console screenshots (Overview KPIs, Events, Segments, User flow, Goals, Reports), built-in purchase events and goals; drop 'honest'. Maps: de-cringe opener, stop overstating peer z-order, refocus on vendor lock-in without deriding native maps, native-Mac screenshot attribution, 'code still works', drop the iOS-sim validation line, 'The tradeoff'. Editors: remove the iOS transparent-webview anecdote and 'We did run the thing'. TV: remove the TVOS_PORT.md guards aside. Device: trim the guarantee sentence, drop the 'I promised' opener. Vale runs clean (0 findings) locally on all six posts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a portable device-integrity / runtime self-protection (RASP) API plus build hints, implemented in the core framework — no cn1lib, no customer native interfaces. Built for high-security apps (banking/payments) that need to detect and react to a hostile runtime.
New facade
com.codename1.security.DeviceIntegrity:android.playIntegrity(+.verifyUrl)requestIntegrityToken(nonce)ios.appAttest(+.environment)android.rootCheck/android.fridaDetection/ios.detectJailbreakisDeviceCompromised()/getCompromiseReasons()android.accessibilityGuard(+.allow, +.mode)getEnabledAccessibilityServices(),hasUntrustedAccessibilityService(...),setSecureScreen(bool)Design
Display, defaulting to unsupported inCodenameOneImplementation; overridden in the Android and iOS ports (mirrors the existingisJailbrokenDevice()chain).DCAppAttestService, native code gated behindCN1_USE_APP_ATTEST(stub#elseso non-attest builds neither import nor linkDeviceCheck.framework); async result returns via DCE-guarded static callbacks, theIOSBiometricspattern.Scope
DeviceIntegrityTest(6 tests) covering the accessibility allow-list evaluationVerification
Core, local builders, Android port, and iOS-port Java all compile (JDK 8 core / JDK 17 Android);
DeviceIntegrityTestpasses (6/6).🤖 Generated with Claude Code