Element Android — Advanced Security Research Fork

This repository is a research-focused fork of the official Element Android app. It explores how advanced runtime protections and obfuscation can be integrated into a large, production-grade Android codebase.

Disclaimer: This is not the official Element Android repository and is intended for research and testing only. For the official client, see element-hq/element-android.

What’s included in this fork:

• raspmodule (RASP SDK): runtime detection and responses for debuggers, root, emulators, tampering, and hooking.
• obfuscationlib (Obfuscation Library): layered static/dynamic obfuscation and data-protection utilities that complement R8.

Custom Security Modules

1) RASP SDK (raspmodule)

Purpose: resist runtime analysis and reverse engineering.

Highlights:

• Debugger Detection: Detects attached debuggers (Java/JDWP, Native/Ptrace) and TracerPid status.
• Root Detection: Scans for su binaries, root-management apps (Magisk), and insecure system properties.
• Emulator Detection: Identifies virtual environments by checking hardware properties and QEMU artifacts.
• Tamper Detection: Verifies APK signature and DEX file integrity (checksums).
• Hook Detection: Scans for artifacts from common hooking frameworks (Frida, Xposed).
• Native C++ Implementation: Core checks are implemented in native code for performance and resilience.

Documentation: raspmodule/README.md

2) Obfuscation Library (obfuscationlib)

Purpose: provide layered obfuscation and data protection on top of R8.

Highlights:

• Static Code Obfuscation: Applies aggressive Identifier Renaming, Control-Flow Flattening (CFF), and Instruction Substitution.
• Data Protection: Implements multi-layer String Encryption for sensitive constants.
• Dynamic Loading: Prepares the app by encrypting main DEX files, which are then loaded at runtime by a stub.
• Native Code Obfuscation: Includes tools for Native Symbol Stripping and CFF.

Documentation: obfuscationlib/README.md

Build and Integration

Security modules are wired into the Gradle build. Behavior differs by build type:

• aggressiveRelease Builds: Enable full RASP protections and all custom obfuscation passes, working in tandem with R8 minification.
• debug Builds: Disable all security features to allow for standard development and debugging workflows.

Project Status & Objectives

This fork is a proof‑of‑concept to validate multi‑layer security within a complex Android app.

Primary goals:

• Validating Integration: Testing the feasibility of integrating native (C++) security components and custom obfuscation rules into the Element codebase.
• Testing Efficacy: Assessing the effectiveness of a multi-layered security approach (combining RASP, dynamic loading, and static obfuscation).
• Creating Reusable Modules: Developing the RASP SDK and Obfuscation Library as standalone modules that can be adapted for other projects.
• Build Optimization: Successfully compiling for multiple architectures (ARM64, ARMv7, x86, x86_64) while ensuring R8 minification and security rules work in sync.

Element Android

Element Classic Android is a previous-generation Matrix client provided by Element. The app can be run on every Android devices with Android OS Lollipop and more (API 21). This client is still supported and receives security updates but no new features or usability enhancements are made. It is recommended to use Element X that is the next-generation mobile app.

Build of develop branch: Nightly test status:

New Android SDK

Element is based on a new Android SDK fully written in Kotlin (like Element). In order to make the early development as fast as possible, Element and the new SDK currently share the same git repository.

At each Element release, the SDK module is copied to a dedicated repository: https://github.com/matrix-org/matrix-android-sdk2. That way, third party apps can add a regular gradle dependency to use it. So more details on how to do that here: https://github.com/matrix-org/matrix-android-sdk2.

Roadmap

The version 1.0.0 of Element still misses some features which was previously included in Riot-Android. The team will work to add them on a regular basis.

Releases to app stores

There is some delay between when a release is created and when it appears in the app stores (Google Play Store and F-Droid). Here are some of the reasons:

• Not all versioned releases that appear on GitHub are considered stable. Each release is first considered beta: this continues for at least two days. If the release is stable (no serious issues or crashes are reported), then it is released as a production release in Google Play Store, and a request is sent to F-Droid too.
• Each release on the Google Play Store undergoes review by Google before it comes out. This can take an unpredictable amount of time. In some cases it has taken several weeks.
• In order for F-Droid to guarantee that the app you receive exactly matches the public source code, they build releases themselves. When a release is considered stable, Element staff inform the F-Droid maintainers and it is added to the build queue. Depending on the load on F-Droid's infrastructure, it can take some time for releases to be built. This always takes at least 24 hours, and can take several days.

If you would like to receive releases more quickly (bearing in mind that they may not be stable) you have a number of options:

1. Sign up to receive beta releases via the Google Play Store.
2. Install a release APK directly - download the relevant .apk file and allow installing from untrusted sources in your device settings. Note: these releases are the Google Play version, which depend on some Google services. If you prefer to avoid that, try the latest dev builds, and choose the F-Droid version.
3. If you're really brave, install the very latest dev build - pick a build, then click on Summary to download the APKs from there: vector-Fdroid-debug and vector-Gplay-debug contains the APK for the desired store. Each file contains 5 APKs. 4 APKs for every supported specific architecture of device. In doubt you can install the universal APK.

Contributing

Please refer to CONTRIBUTING.md if you want to contribute on Matrix Android projects!

Come chat with the community in the dedicated Matrix room.

Also this documentation can hopefully help developers to start working on the project.

Triaging issues

Issues are triaged by community members and the Android App Team, following the triage process.

We use issue labels to sort all incoming issues.

Copyright and License

Copyright (c) 2018 - 2025 New Vector Ltd

This software is dual licensed by New Vector Ltd (Element). It can be used either:

(1) for free under the terms of the GNU Affero General Public License (as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version); OR

(2) under the terms of a paid-for Element Commercial License agreement between you and Element (the terms of which may vary depending on what you and Element have agreed to).

Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.