Debugger Detection

Detecting that a debugger is attached to a production app is a key RASP feature. Attaching a debugger to an app should only be possible in the development phase and should never occur with a production app. A debugger attached to a production app is a clear sign of malicious tampering.

Malwarelytics for Android is able to detect that a debugger has been attached to the app and can be configured to terminate the app in such cases.

Configuration

This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    .debugger(
        DebuggerDetectionConfig.Builder()
            .action(DetectionConfig)
            .debuggerTypes(Collection<DebuggerType>)
            .build()
    )
    // configuration of other RASP features
    .build()
Method Description
action(DetectionConfig) specifies the automatic behavior of the debugger detection feature. Defaults to DetectionConfig.Notify.
debuggerTypes(Collection<DebuggerType>) indicates types of debuggers that will be detected. Defaults to DebuggerType.values().toList(). Debugger types are JAVA and NATIVE.

Available values of DetectionConfig:

Value Description
NoAction indicates that debuggers will not be automatically detected. A manual check is still possible.
Notify indicates that debuggers will be automatically detected and observers will be notified.
Exit(
exitUrl:String?)
indicates that debuggers will be automatically detected, and the app will be terminated when a debugger is automatically detected.

List of available parameters for some config values:

Parameter Description
exitUrl:String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to null.

Usage

After initialization, the debugger detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual debugger detection check.

Registering an Observer

Debugger detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    override fun onDebuggerDetected(debuggerDetected: Boolean) {
        // handle debugger detection
    }
    // handle detection of other RASP features
}

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.

raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)

Triggering a Manual Check

Debugger detection check can be triggered manually in RaspManager. Two methods are available – isDebuggerAttached() gives a simple boolean answer, whereas getDebuggerDetection() provides more details.

val debuggerDetection = raspManager.getDebuggerDetection()
val isDebuggerAttached = raspManager.isDebuggerAttached()

Troubleshooting

A common issue for debugger detection is a false positive of native debugger detection. This often happens when the app uses some other library/SDK that tries to protect against native debuggers. For example, various contactless payment SDKs do this.

To resolve the issue, we recommend turning off native debugger detection and keeping only Java debugger detection. Configuring debugger detection to detect only Java debugger is simple:

val config = AppProtectionConfig.Builder(appContext)
    .raspConfig(
        RaspConfig.Builder()
            .debugger(
                DebuggerDetectionConfig.Builder()
                    .action(DetectionConfig.Notify)          // use any action that is desired
                    .debuggerTypes(setOf(DebuggerType.JAVA)) // detect only Java debugger
                    .build()
            )
            // configuration of other RASP features
            .build()
    )
    // other configuration items
    .build()

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Nov 16, 2023 (08:44) View product
Search

1.2.x

Malwarelytics for Android