I have an Android app and I'm saving highscores simply in Shared Preferences. On a rooted device, you can just edit the XML and modify the score. Because in next update I'm planning to add Google Play Leaderboards, I need to store them safely. Now, I'm just saving it and a salted hash of it. But there's one problem: It is possible to decompile it using decompileandroid.com easily and read the way how I'm salting it and reproduce the process afterwards.
I want to be able to sync highscores which were made offline. It's really simple app that is definitely supposed to be played in a bus or train.
Since the customer is in control of the device, and the game is played offline, it will always be tamperable. There is no storage on the device that root cannot access, and there is no way to fully obfuscate client side code so that the user can't reverse engineer it. Your options are to 1) change your design and require closer server-side integration to detect cheating, or 2) to attempt to make it more difficult by obfuscating the APK, and putting in bypassable protections like you have suggested with the integrity checking hash.