How to disallow emulator, isdebuggable check for debug build

Question

I am resolving some security defects for my app.

Defect is:

1. Should not allow release app to be run in emulator
2. Release app should not be debuggable
3. Should not connect to debugger
4. Release app should be installed from play store not from other resource
5. And app signature verification

Code 1)

private static boolean isEmulator() {
    try {
        boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
        boolean emu = getSystemProperty("ro.kernel.qemu").length() > 0;
        boolean sdk = getSystemProperty("ro.product.model").equals("sdk");

        if (emu || goldfish || sdk) {
            return true;
        }
    } catch (Exception e) {
    }
    return false;
}

Code 2)

public static boolean isDebuggable(Context context) {
    if (IdscProperties.getIsDebug()) {
        return true;
    }
    if (isDebuggableEnabled(context) || detectDebugger() || detectThreadCpuTimeNanos()) {
        return true;
    }
    return false;
}

private static boolean isDebuggableEnabled(Context context) {
    return (context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0;
}

Code 3)

private static boolean detectDebugger() {
    return Debug.isDebuggerConnected();
}

Code 4)

private static boolean isInstallerPlayStore(Context context) {
    final String installer = context.getPackageManager().getInstallerPackageName(context.getPackageName());
    return installer != null && installer.startsWith(PLAY_STORE_APP_ID);
}

Code 5)

private static boolean isAppSignatureMatches(Context context) {
    String signature = PackageVerifier.getCertificateHash(context, context.getPackageName());
    return SIGNATURE.equals(signature);
}

So, My aim is to not allow these checks in debug builds.

We shall create a flag in some prob file and read it when these checks happen and disallow the function execution.

But the flag shall be modified by the hacker and re-pack the APK to dis-allow these checks.

My expectation is allow these checks in release build and not in debug build without any modifiable flag checks.

Answer 1

Before you start on this path, I want to make sure that you realize 2 things:

1. Every precaution you implement can be (relatively easily) circumvented on a rooted device
2. Your app can be easily decompiled into bytecode offline, and any security-related code will be plainly visible.

So, knowing this, if your aim is to prevent piracy, you also need to realize that anything you do will only add some extra steps for the attacker to go through. But if someone really wants to do it, it will not stop them.

If you still want advice on how to implement this, let me know