Detecting Sandbox in Android App

We are using a technique found elsewhere in the Community to detect if our Android app is running Sandbox or production. The technique seems to be getting false positives on some devices/accounts.

Essentially it's checkin CloverAuth.AuthResult.baseUrl for if it contains "sandbox." Here is the code:

private static class FetchBaseURL extends AsyncTask<Void, Void, CloverAuth.AuthResult> {
    @Override
    protected CloverAuth.AuthResult doInBackground(Void... params) {
        try {
            return CloverAuth.authenticate(MyApplication.getApplicationInstance().getApplicationContext(), MyApplication.getApplicationInstance().getCloverAccount());
        } catch (OperationCanceledException e) {
            Logger.i("log_test", "Authentication cancelled");
        } catch (Exception e) {
            Logger.i("log_test", "Error retrieving authentication");
        }
        return null;
    }

    @Override
    protected void onPostExecute(CloverAuth.AuthResult result) {
        if (result != null) {
            if (result.baseUrl.contains(SANDBOX_STRING)) {
                Constant.WEB_URL = Constant.WEB_SANDBOX_URL;
            } else {
                Constant.WEB_URL = Constant.WEB_PRODUCTION_URL;
            }
        }
    }
}

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jeffrey Blattman ♦♦ commented · Mar 05, 2020 at 11:26 PM

I false positive would mean that a production environment had "sandbox" in the base URL. I don't think that's likely.

What's the default value of WEB_URL? You should probably set it to something, or log an error if you get null back.

0 ·

Jacob Abrams ♦♦ Jeffrey Blattman ♦♦ commented · Mar 06, 2020 at 06:08 PM

What Jeff said is correct. Also please note that when the auth token is not available (expired and network is done for example) you may receive an error back and the baseUrl will be null, so please check for null just in case.

0 ·

question