RASP Feature Overview

RASP (runtime application self-protection) features protect the app against several attack vectors.

Currently, Malwarelytics for Android covers the following problems:

  • rooted devices
  • emulators
  • attached debuggers
  • app repackaging
  • screen sharing
  • screenshots
  • usage of screen lock
  • Play Protect status

Configuring Detections

RASP detections are configured via RaspConfig that is a part of the AppProtectionConfig. The RASP feature is automatically turned on whenever an instance of RaspConfig is set in AppProtectionConfig.

By default, all RASP configurations are enabled. Only repackaging causes the app exit by default. Therefore it is necessary to set signatureHash for default configuration.

To configure RASP detections, use:

val config = AppProtectionConfig.Builder(appContext)
        .raspConfig(
            RaspConfig.Builder()
                // …
                .build()
        )
        // …
        .build()

The configuration in RaspConfig offers two basic settings for the RASP detections.

  1. Turning certain detections on or off.
  2. Automatically exiting the app when a certain problem is detected.

Available Detections

The RASP configuration contains the following detections:

val raspConfig = RaspConfig.Builder()
    .checkEmulator(Boolean)
    .exitOnEmulator(Boolean)
    .checkRoot(Boolean)
    .exitOnRoot(Boolean)
    .exitOnRootMinConfidence(Float) // value from 0.0 to 1.0
    .checkDebugger(Boolean)
    .exitOnDebugger(Boolean)
    .checkRepackaging(Boolean)
    .exitOnRepackaging(Boolean)
    .signatureHash(String)          // SHA-1 of signing certificate(s)
    .checkScreenSharing(Boolean)
    .exitOnScreenSharing(Boolean)
    .blockScreenshots(Boolean)
    .build()

The check* methods turn certain features on or off. The exit* methods cause app exit when the corresponding detection is triggered.

Obtaining Detection Results

When Malwarelytics for Android is initialized with certain configurations, the RASP features can be accessed through RaspManager. You can obtain the instance from AppProtection by calling:

val raspManager = appProtection.getRaspManager()

The RaspManager instance then offers to:

  • Register a RASP Observer
  • Trigger RASP Checks Manually

Observing RASP Detections

An observer can be registered in RaspManager to notify the app about any RASP detection.

val raspObserver = object: RaspObserver {
    override fun onEmulatorDetected(emulatorDetection: EmulatorDetection) {
        // handle emulator detection
    }

    override fun onRootDetected(rootDetection: RootDetection) {
        // handle root detection
    }

    override fun onDebuggerDetected(debuggerDetected: Boolean) {
        // handle debugger detection
    }

    override fun onRepackagingDetected(repackagingDetected: Boolean) {
        // handle repackaging detection
    }

    override fun onScreenSharingDetected(screenSharingDetected: Boolean) {
        // handle screen sharing detection
    }
}
raspManager.registerRaspObserver(raspObserver)

The observer can be unregistered when no longer necessary:

raspManager.unregisterRaspObserver(raspObserver)

The observer callbacks are always called on a background thread and before the app exit. However it is not guaranteed that any longer running work can be completed in the callback.

Any detections that are manually triggered via RaspManager are not propagated into the observer.

Triggering RASP Checks Manually

All the RASP checks can be triggered manually in RaspManager. There are mostly two methods for the checks. One for simple boolean answer and one for a more detailed information.

// root detection
val rootDetection = raspManager.getRootDetection()
val isRooted = raspManager.isDeviceRooted()

// emulator detection
val emulatorDetection = raspManager.getEmulatorDetection()
val isDeviceEmulator = raspManager.isDeviceEmulator()

// debugger
val debuggerDetection = raspManager.getDebuggerDetection()
val isDebuggerAttached = raspManager.isDebuggerAttached()

// repackaging
val isAppRepackaged = raspManager.isAppRepackaged()

// screen sharing
val screenSharingDetection = raspManager.getScreenSharingDetection()
val isScreenShared = raspManager.isScreenShared()

// screen lock usage
val isDeviceUsingScreenLock = raspManager.isDeviceUsingScreenLock()

// Play Protect status
val isPlayProtectEnabled = raspManager.isPlayProtectEnabled()
Last updated on May 05, 2021 (19:50) View product
Search

0.15.x

Malwarelytics for Android