RASP Feature Overview
RASP (runtime application self-protection) features protect the app against several attack vectors.
Currently, Malwarelytics for Apple covers the following problems:
- jailbroken devices
- attached debuggers
- application repackaging
- reverse engineering tools
- active HTTP proxy
- screen sharing
- screenshots
- system passcode status change
- system biometry configuration change
- VPN detection
- active call detection
Configuring Detections
RASP detections are configured via AppProtectionRaspConfig
and AppProtectionEventConfig
classes that are a part of the AppProtectionConfig
.
To configure RASP detections, use:
// Prepare the RASP feature configuration
let raspConfig = AppProtectionRaspConfig(
jailbreak: .exit("https://myurl.com/jalibreak-explained"), // exit on jailbroken phone
debugger: .block, // block debugger
reverseEngineeringTools: .notify, // let me know when user installed revers engineering tools
httpProxy: .notify, // notify me via delegate when http proxy is enabled
repackage:.exit([AppProtectionTrustedCert(withBase64EncodedString: "BASE_64_ENCODED_CERT")!], "https://myurl.com/repackage-explained"), // follow documentation how to obtain certificate string
screenCapture: .hide(), // will hide the app contents when screen is captured (for example shared via airplay),
vpnDetection: .notify, // notify me when VPN is connected or disconnected
callDetection: .notify // notify me when about active call
)
// Prepare the configuration for events
let eventConfig = AppProtectionEventConfig(
enableEventCollection: true, // enable event collection in general
enableAppLifecycleCollection: true, // track lifecycle events in the Malwarelytics console on the server
enableScreenshotTakenCollection: true // track screenshot events in the Malwarelytics console on the server
)
// Prepare a configuration for service
let config = AppProtectionConfig(
username: "$USERNAME", // username for the Malwarelytics service
password: "$PASSWORD", // password for the Malwarelytics service
signaturePublicKey: "$PUBKEY", // public key for the Malwarelytics service
clientIdentification: nil, // user identification (unique within your systems)
raspConfig: raspConfig,
eventsConfig: eventConfig,
customerGroupingConfig: nil // Configuration of customer grouping and naming in the web application.
)
Obtaining Detection Results
When Malwarelytics for Apple is initialized with certain configurations,
the RASP features can be accessed through AppProtectionRaspDelegate
or by proactively checking for status of a certain feature.
Observing RASP Detections
An observer can be registered in RaspManager
to notify the app about any RASP detection change.
// Set the delegate to existing `AppProtectionService` instance
// to obtain RASP callbacks
appProtection.rasp.addDelegate(self)
Delegate then receives the following callbacks:
func debuggerDetected() {
// react to debugger
}
func jailbreakDetected() {
// react to jailbreak
}
func repackageDetected() {
// react to repackage
}
func httpProxyEnabled() {
// react to http proxy enabled
}
func userScreenshotDetected() {
// react to user screenshot
}
func reverseEngineeringToolsDetected() {
// react to reverse engineering tools
}
func systemPasscodeConfigurationChanged(enabled: Bool) {
// react to system passcode change
}
func systemBiometryConfigurationChanged(enabled: Bool) {
// react to biometry configuration changed
}
func screenCapturedChanged(isCaptured: Bool) {
// react to screen capturing (casting to different device)
}
func vpnChanged(active: Bool) {
// react to VPN state changes
}
func onCallChanged(isOnCall: Bool) {
// react to call change
}
Triggering RASP Checks Manually
All the RASP checks can be triggered manually in RaspManager
. There are mostly two methods for the checks. One for simple boolean answer
and one for a more detailed information.
// root detection
let isJailbroken = appProtection.rasp.isJailbroken
// debugger
let isDebuggerConnected = appProtection.rasp.isDebuggerConnected
// repackaging
let isRepackaged = appProtection.rasp.isRepackaged
// screen sharing
let isScreenCaptured = appProtection.rasp.isScreenCaptured
// system passcode
let isSystemPasscodeEnabled = appProtection.rasp.isSystemPasscodeEnabled
// system biometry
let isSystemBiometryEnabled = appProtection.rasp.isSystemBiometryEnabled
// simulator build
let isEmulator = appProtection.rasp.isEmulator
// reverse engineering
let isReverseEngineeringToolsPresent = appProtection.rasp.isReverseEngineeringToolsPresent
// http proxy present
let isHttpProxyEnabled = appProtection.rasp.isHttpProxyEnabled
// VPN active
let isVpnActive = appProtection.rasp.isVpnActive
// on call
let isOnCall = appProtection.rasp.isOnCall