App Presence Detection

Some mobile applications, while being legitimate apps with their use cases, pose a great danger to banking and fintech applications. Such apps are often used to scam users and perform financial fraud.

An important category of these apps are so-called “remote desktop apps”. These apps allow remote access and control of mobile devices. Unfortunately, these apps recently became a vital part of many fraudulent attacks.

Malwarelytics for Apple is able to detect some unwanted remote desktop apps.

Configuration

Configuration of this feature is more complex than other detections. It consists of two parts:

  1. Configuration of query URL schemes in the application’s Info.plist.
  2. Configuration of appPresence in AppProtectionRaspConfig.

Every app that should be detected has to be added in both places. This also means that the list of detected apps is limited by the compile-time configuration of Info.plist file.

Configuration of Query URL Schemes

Query URL schemes have to be configured in the application’s Info.plist. A query scheme of each app has to be added as an item in the “Queried URL Schemes” key.

The step-by-step process is:

  1. Open the Xcode project.
  2. In the Project Navigator, find the app’s Info.plist file and open it.
  3. Click the “+” button in the top-right corner of the Info.plist editor.
  4. In the new row, set the key to “Queried URL Schemes”
  5. Click the arrow next to “Queried URL Schemes” to expand it.
  6. Click the “+” button next to “Queried URL Schemes” and add the URL scheme for the app you want to detect.
  7. Save the changes.

Some of the frequently used remote desktop apps’ with their URL schemes can be found in the SDK in the KnownApps struct.

App Presence Configuration in AppProtectionRaspConfig

Configuration of the detection in AppProtectionRaspConfig is similar to other RASP features:

let raspConfig = AppProtectionRaspConfig(
    appPresence: AppPresenceDetectionConfig
    // configuration of other RASP features
)

Available values of DetectionConfig:

Value Description
.manual(
apps: [DetectableApp])
indicates that app presence will not be automatically detected. A manual check is still possible.
.notify(
apps: [DetectableApp])
indicates that app presence will be automatically detected and the delegates will be notified via the installedAppsChanged([DetectableApp]) method.

The app presence detection defaults to .manual([]).

List of available parameters for some config values:

Parameter Description
apps: [DetectableApp] defines the list of detectable apps.

Detectable App Configuration

A detectable app is defined by several properties:

Property Description
deeplinkProtocols: [String] specifies deep links defined for the app.
name: String specifies name of the application. The name can be chosen at will and does not need to reflect the name in the AppStore or of an installed app.
category: Category specifies category of the application. Currently only .remoteDesktop is available.
tag: String? specifies any additional information that should be passed to the remote server.

Usage

After service creation, the app presence detection feature can be accessed via AppProtectionRasp. This can be used to add a delegate or to trigger a manual app presence detection check.

Observing Detection

The app presence detection can trigger a certain action. To achieve that, a delegate needs to be added.

Delegate configuration:

class RaspDelegate: AppProtectionRaspDelegate {

    // other delegate code

    func installedAppsChanged(installedApps: [DetectableApp]) {
        // handle app presence detection
    }
}

The delegate can be added in AppProtectionRasp. When it is no longer needed, it can be removed again.

let raspDelegate = RaspDelegate()
appProtection.rasp.addDelegate(raspDelegate)
appProtection.rasp.removeDelegate(raspDelegate)

Triggering a Manual Check

The app presence detection check can be triggered manually in AppProtectionRasp by getting the installedApps property value. The method returns [DetectableApp].

let installedApps = appProtection.rasp.installedApps

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Apr 11, 2024 (08:13) View product
Search

3.0.x

Malwarelytics for Apple