Select release
Introduction

Home

Installation

Configuration

Initialization

Common Usage Scenarios

Recommended Responses to Security Issues

Google Play Prominent Disclosure

SafetyNet Google Play Warning

Device Fingerprinting

Troubleshooting

Release Notes

Migration to Version 1.2.x

Migration to Version 1.0.x

Runtime Protection

RASP Features Overview

Debugger Detection

Emulator Detection

Root Detection

Repackaging Detection

Blocking Screen Readers

Screen Sharing Detection

Blocking Screenshots

Tapjacking Protection

HTTP Proxy Detection

VPN Detection

Screen Lock Usage

Google Play Protect Status

Changing Process Name

Detection of ADB Status

Detection of Developer Options Status

Detection of Biometry Enrollment Status

Detection of Active Call

App Presence Detection

Activity protection

RASP Observer

Anti-Malware

Anti-Malware Use-Cases

Anti-Malware Feature Overview

Malware Threat Identification

Malware Threat Mitigation

Listening to App Changes

Installer identification

Smart Protection

Smart Protection UI Customization

Migration Guide to Version 1.0.x

View product develop

Malwarelytics for Android version 1.0.0 introduces a new format of RaspConfig. Update from previous versions requires refactoring of the whole RASP configuration.

The change was introduced to remove unnecessary confusion in the range of possible configurations for each runtime protection feature. Also, the ever-growing list of RASP configuration items made it difficult to find all the available options for a feature. The new configuration better reflects all possible behaviors of each feature.

The new format of RaspConfig groups all config items of each runtime feature together into a configuration group. All RASP configuration groups are either value-based or builder-based.

Value-Based Config Groups

Value-based config groups are constructed with a sealed class like DetectionConfig. The configuration item expects only one value to be inserted. The value is either an object (e.g value NoAction indicating that the feature is turned off) or a data class with extra arguments (e.g. value Exit(exitUrl:String?) indicating that the app will be terminated and optionally a certain URL will be opened). See the example in Value-Based Configuration Group

Builder-Based Config Groups

Builder-based config groups are complex configuration groups such as RaspConfig itself. These groups have Builder classes allowing configuration of all behavioral aspects. Each of these config groups has an item named action which determines the primary behavior of the feature. The action item is a value-based config group itself. See the example in Builder-Based Configuration Group.

Summary of RASP Config Groups

Config Group Type
emulator(DetectionConfig) value-based
root(RootDetectionConfig) value-based
debugger(DebuggerDetectionConfig) builder-based
repackage(RepackageDetectionConfig) builder-based
screenSharing(DetectionConfig) value-based
screenshot(BlockConfig) value-based
screenReader(ScreenReaderBlockConfig) builder-based
processName(ProcessNameConfig) value-based
tapjacking(TapjackingBlockConfig) builder-based
httpProxy(DetectionConfig) value-based
vpn(DetectionConfig) value-based
adb(AdbDetectionConfig) value-based
activeCall(SimpleDetectionConfig) value-based
appPresence(AppPresenceDetectionConfig) builder-based

Value-Based Configuration Group

An example of a value-based configuration item is emulator configuration.

Previously the feature was configured with three items:

raspConfigBuilder
    .checkEmulator(Boolean)
    .exitOnEmulator(Boolean)
    .exitOnEmulatorUrl(String)

It was refactored into a value-based configuration item:

raspConfigBuilder
    .emulator(DetectionConfig)

Available values of DetectionConfig:

Value Description
NoAction indicates that emulators will not be automatically detected. A manual check is still possible.
Notify indicates that emulators will be automatically detected and observers will be notified.
Exit(
exitUrl:String?)		 indicates that emulators will be automatically detected and the app will be terminated when an emulator is automatically detected.

Builder-Based Configuration Group

An example of a builder-based configuration item is tapjacking configuration.

Previously the feature was configured with four items:

raspConfigBuilder
    .blockTapjacking(Boolean)
    .ignoreTapjackingSystemApps(Boolean)
    .blockTapjackingSensitivity(ThreatIndex)
    .allowedTapjackingApps(Collection<RaspConfig.ApkAllowlistItem>)

It was refactored into a builder-based configuration item:

raspConfigBuilder
    .tapjacking(
        TapjackingBlockConfig.Builder()
            .action(BlockConfig)
            .ignoreTapjackingSystemApps(Boolean)
            .blockTapjackingSensitivity(ThreatIndex)
            .allowedTapjackingApps(Collection<RaspConfig.ApkAllowlistItem>)
            .build()
    )
Method Description
action(BlockConfig) specifies the automatic behavior of the tapjacking protection feature. Defaults to BlockConfig.Block. However, tapjacking is not blocked unless a “problematic” app is installed on the device. An app is deemed “problematic” when it meets sensitivity criteria defined by blockTapjackingSensitivity.
ignoreTapjackingSystemApps(Boolean) indicates whether tapjacking protection should ignore system apps in the checks. Defaults to false. If set to true all system apps will be ignored and tapjacking will get blocked only if a non-system “problematic” app is present.
blockTapjackingSensitivity(ThreatIndex) defines tapjacking protection sensitivity. Defaults to ThreatIndex.HIGHLY_DANGEROUS.
allowedTapjackingApps(Collection<RaspConfig.ApkAllowlistItem>) defines a collection of allowed app capable of tapjacking. It is empty by default.

Available values of BlockConfig:

Value Description
NoAction indicates that tapjacking will not be automatically blocked. A manual check for tapjacking apps is still possible.
Block indicates that tapjacking will be automatically blocked.

Config Item Replacements

Here is the mapping list of the RaspConfig items from version 0.24.0 into new items in version 1.0.0.

Config items groupped by feature in version 0.24.0 Config item in version 1.0.0
checkEmulator(Boolean)
exitOnEmulator(Boolean)
exitOnEmulatorUrl(String)		 emulator(DetectionConfig)
checkRoot(Boolean)
exitOnRoot(Boolean)
exitOnRootUrl(String)
exitOnRootMinConfidence(Float)		 root(RootDetectionConfig)
checkDebugger(Boolean)
exitOnDebugger(Boolean)
exitOnDebuggerUrl(String)		 debugger(DebuggerDetectionConfig)
checkRepackaging(Boolean)
exitOnRepackaging(Boolean)
exitOnRepackagingUrl(String)
signatureHash(String)		 repackage(RepackageDetectionConfig)
checkScreenSharing(Boolean)
exitOnScreenSharing(Boolean)
exitOnScreenSharingUrl(String)		 screenSharing(DetectionConfig)
blockScreenshots(Boolean) screenshot(BlockConfig)
blockScreenReaders(Boolean)
allowedScreenReaders(Collection<RaspConfig.ApkAllowlistItem>)		 screenReader(ScreenReaderBlockConfig)
customProcessName(String)
useStealthyProcessName(Boolean)		 processName(ProcessNameConfig)
blockTapjacking(Boolean)
ignoreTapjackingSystemApps(Boolean)
blockTapjackingSensitivity(ThreatIndex)
allowedTapjackingApps(Collection<RaspConfig.ApkAllowlistItem>)		 tapjacking(TapjackingBlockConfig)
checkHttpProxy(Boolean)
exitOnHttpProxy(Boolean)
exitOnHttpProxyUrl(String)		 httpProxy(DetectionConfig)
checkVpn(Boolean)
exitOnVpn(Boolean)
exitOnVpnUrl(String)		 vpn(DetectionConfig)
exitOnAdbEnabled(Boolean)
exitOnAdbEnabledUrl(String)		 adb(AdbDetectionConfig)
checkActiveCall(Boolean) activeCall(SimpleDetectionConfig)
N/A appPresence(AppPresenceDetectionConfig)

Each RASP feature has a dedicated documentation page where you can find more details about its configuration.

Last updated on Apr 11, 2024 (11:36) View product
On this page:
Search

develop

Malwarelytics for Android