Android App Security: RASP, Root & Virtualization Bypasses

This session is for engineers who want to go way beyond “is the device rooted?” dialogs and actually understand how modern attackers bypass Android app protections.

We’ll look at your app (or a target app) from a red-team / attacker mindset, and then translate that into practical hardening strategies.

Possible topics we can cover (we’ll prioritise based on your context):

• RASP & Device Integrity

  • How commercial RASP / integrity SDKs (e.g. Keyless-style, Build38-style) work in practice
  • Why classic root checks fail against Magisk, Zygisk, Shamiko, APatch, KernelPatch-style modules
  • Scoring, thresholds, and how attackers game them

• Virtualization & “Digital Mask” Attacks

  • Running the app inside a “clean bubble” while the real device is rooted
  • What your app and SDKs think they see vs what’s actually happening at OS / kernel level
  • Why Play Integrity + RASP is still not enough if you ignore this layer

• Hooking, Inline Patching & Frida-Style Attacks

  • User-space hooking (Frida, LSPosed, Zygisk modules)
  • Kernel-level tricks and why they’re so hard to detect from user space
  • Practical ideas to make hooking and patching more expensive for the attacker

• Camera & Sensor Injection

  • How camera injection attacks work in practice (video spoofing, replay)
  • Where in the stack frames can be intercepted or replaced
  • What’s realistically defendable at app level vs what isn’t

• Defensive Design

  • Building layered checks instead of a single “root=true/false” decision
  • Telemetry ideas: what to log, how to detect suspicious patterns over time
  • How to talk to product and compliance about risk, not just features

This is not a 101 security intro. It’s ideal for:

• Senior Android engineers, security engineers, or tech leads
• Teams in fintech, identity verification, or other high-risk apps (banking, trading, KYC, etc.)

We will focus on what’s actually possible for an attacker today and how to respond pragmatically.
We also keep a strict line on legal and ethical use: this is about improving your security posture, not attacking others.