From here (https://developer.android.com/privacy-and-security/security-dex), you can see that Android has introduced a new feature that allows code to be run directly from within the APK using embedded dex.
I am curious though how this would be useful?
The guide says:
This option can help prevent an attack if an attacker ever managed to
tamper with the locally compiled code on the device."
My understanding is that when your APK is installed, it gets compiled and stored in the dalvik cache as an optimized dex file. The dalvik cache is only accessible by the system user so unless the phone is rooted, there is no way an attacker can get to it.
If the phone is rooted (and the attacker is running as root), then the embedded dex file can still be tampered with since the attacker can then just modify the apk and re-sign it with their own key.
Thanks!
Correct. By enabling this option you are forcing the system to run the dex code directly from the .apk file using a JIT compiler (Just like it was on dalvik before Android 4.4) instead of AOT (5+) or a combination of both (4.4-5). You cannot modify and run the dex code inside of an apk without re-signing it, and since you don't have the original signing key you would have to sign it with a different one. As an application developer you can implement code checking the apk signature and checksum and thus not allow running an apk that has been tampered with. What you have in dalvik cache on the other hand, are optimized versions of .dex files and precompiled .oat files which are not signed and thus having root privileges you can modify them.