For apps that communicate with a server, there will be so called hardware attestation, like the API doesn't just return "true" but a signature which the server can validate. Keys for this are in the TEE/whatever secure element the phone has (and there's a $500K bounty for extracting secrets from the TEE).
For apps that don't, Google is currently developing a new obfuscation VM called pairip (that libpairipcore.so). This extracts some java code into a VM, so patching an app is not simply a matter of patching smali code - that VM employs many checksums on its memory.
For apps that don't, Google is currently developing a new obfuscation VM called pairip (that libpairipcore.so). This extracts some java code into a VM, so patching an app is not simply a matter of patching smali code - that VM employs many checksums on its memory.