App Presence Detection
Some mobile applications, while being legitimate apps with their use cases, pose a great danger to banking and fintech applications. Such apps are often used to scam users and perform financial fraud.
An important category of these apps are so-called “remote desktop apps”. These apps allow remote access and control of mobile devices. Unfortunately, these apps recently became a vital part of many fraudulent attacks.
Malwarelytics for Apple is able to detect some unwanted remote desktop apps.
Configuration
Configuration of this feature is more complex than other detections. It consists of two parts:
- Configuration of query URL schemes in the application’s
Info.plist
. - Configuration of
appPresence
inAppProtectionRaspConfig
.
Every app that should be detected has to be added in both places. This also means that the list of detected apps is limited by the compile-time configuration of Info.plist
file.
Configuration of Query URL Schemes
Query URL schemes have to be configured in the application’s Info.plist
. A query scheme of each app has to be added as an item in the “Queried URL Schemes” key.
The step-by-step process is:
- Open the Xcode project.
- In the Project Navigator, find the app’s
Info.plist
file and open it. - Click the “+” button in the top-right corner of the Info.plist editor.
- In the new row, set the key to “Queried URL Schemes”
- Click the arrow next to “Queried URL Schemes” to expand it.
- Click the “+” button next to “Queried URL Schemes” and add the URL scheme for the app you want to detect.
- Save the changes.
Some of the frequently used remote desktop apps’ with their URL schemes can be found in the SDK in the KnownApps
struct.
App Presence Configuration in AppProtectionRaspConfig
Configuration of the detection in AppProtectionRaspConfig
is similar to other RASP features:
let raspConfig = AppProtectionRaspConfig(
appPresence: AppPresenceDetectionConfig
// configuration of other RASP features
)
Available values of DetectionConfig
:
Value | Description |
---|---|
.manual( apps: [DetectableApp]) |
indicates that app presence will not be automatically detected. A manual check is still possible. |
.notify( apps: [DetectableApp]) |
indicates that app presence will be automatically detected and the delegates will be notified via the installedAppsChanged([DetectableApp]) method. |
The app presence detection defaults to .manual([])
.
List of available parameters for some config values:
Parameter | Description |
---|---|
apps: [DetectableApp] |
defines the list of detectable apps. |
Detectable App Configuration
A detectable app is defined by several properties:
Property | Description |
---|---|
deeplinkProtocols: [String] |
specifies deep links defined for the app. |
name: String |
specifies name of the application. The name can be chosen at will and does not need to reflect the name in the AppStore or of an installed app. |
category: Category |
specifies category of the application. Currently only .remoteDesktop is available. |
tag: String? |
specifies any additional information that should be passed to the remote server. |
Usage
After service creation, the app presence detection feature can be accessed via AppProtectionRasp
. This can be used to add a delegate or to trigger a manual app presence detection check.
Observing Detection
The app presence detection can trigger a certain action. To achieve that, a delegate needs to be added.
Delegate configuration:
class RaspDelegate: AppProtectionRaspDelegate {
// other delegate code
func installedAppsChanged(installedApps: [DetectableApp]) {
// handle app presence detection
}
}
The delegate can be added in AppProtectionRasp
. When it is no longer needed, it can be removed again.
let raspDelegate = RaspDelegate()
appProtection.rasp.addDelegate(raspDelegate)
appProtection.rasp.removeDelegate(raspDelegate)
Triggering a Manual Check
The app presence detection check can be triggered manually in AppProtectionRasp
by getting the installedApps
property value. The method returns [DetectableApp]
.
let installedApps = appProtection.rasp.installedApps
More information on general RASP feature configuration and usage can be found in this overview.