Add a handful of compiler options to harden code

src/monodroid/CMakeLists.txt

@@ -331,16 +331,37 @@ set(LOCAL_COMMON_COMPILER_ARGS
   -Werror=format-security
   -Werror=return-type
   -Wextra
-  -Wformat
   -Wformat-security
+  -Wformat=2
+  -Wimplicit-fallthrough
   -Wmisleading-indentation
   -Wnull-dereference
   -Wpointer-arith
   -Wshadow
   -Wsign-compare
+  -Wtrampolines
   -Wuninitialized
+  -fstack-clash-protection
+  -fstrict-flex-arrays=3
   )
 
+# Add some options to increase security. They may mildly affect performance but they won't be big, because the features are
+# assisted by the hardware.
+if((CMAKE_ANDROID_ARCH_ABI STREQUAL "x86") OR (CMAKE_ANDROID_ARCH_ABI STREQUAL "x86_64"))
+  # -fcf-protection=full: Enable control flow protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks on many x86 architectures
+  list(APPEND LOCAL_COMMON_COMPILER_ARGS
+    -fcf-protection=full
+  )
+endif()
+
+if(CMAKE_ANDROID_ARCH_ABI STREQUAL "arm64-v8a")
+  # -mbranch-protection=standard: Enable branch protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks on AArch64
+  # In clang -mbranch-protection=standard is equivalent to -mbranch-protection=bti+pac-ret and invokes the AArch64 Branch Target Identification (BTI) and Pointer Authentication using key A (pac-ret)
+  list(APPEND LOCAL_COMMON_COMPILER_ARGS
+    -mbranch-protection=standard
+  )
+endif()
+
 if(COMPILER_DIAG_COLOR)
   list(APPEND LOCAL_COMMON_COMPILER_ARGS
     -fdiagnostics-color=always