RASP Feature Overview

View product v3.1.x

RASP (runtime application self-protection) features protect the app against several attack vectors.

Currently, Malwarelytics for Apple covers the following problems:

Configuration

RASP detections are configured via AppProtectionRaspConfig and AppProtectionEventConfig classes that are a part of the AppProtectionConfig.

To configure RASP detections, use:

// Prepare the RASP feature configuration
let raspConfig = AppProtectionRaspConfig(
    jailbreak: .exit("https://myurl.com/jalibreak-explained"), // exit on jailbroken phone
    debugger: .block, // block debugger
    reverseEngineeringTools: .notify, // let me know when the user installed reverse engineering tools
    httpProxy: .notify, // notify me via delegate when HTTP proxy is enabled
    repackage: .exit([AppProtectionTrustedCert(withBase64EncodedString: "BASE_64_ENCODED_CERT")!], "https://myurl.com/repackage-explained"), // follow documentation how to obtain certificate string
    screenCapture: .hide(), // will hide the app contents when the screen is captured (for example shared via airplay),
    vpnDetection: .notify, // notify me when the VPN is connected or disconnected
    callDetection: .notify, // notify me when about an active call
    appPresence: .notify([.KnownApps.anyDesk]) // notify me when AnyDesk application is installed. Note that you also have to specify the deeplink in your Info.plist (more in the feature documentation)
)
    
// Prepare the configuration for events
let eventConfig = AppProtectionEventConfig(
    enableEventCollection: true, // enable event collection in general
    enableAppLifecycleCollection: true, // track lifecycle events in the Malwarelytics console on the server
    enableScreenshotTakenCollection: true // track screenshot events in the Malwarelytics console on the server
)
    
// Prepare a configuration for service
let config = AppProtectionConfig(
    username: "$USERNAME", // username for the Malwarelytics service
    password: "$PASSWORD", // password for the Malwarelytics service
    signaturePublicKey: "$PUBKEY", // public key for the Malwarelytics service
    clientIdentification: nil, // user identification (unique within your systems)
    raspConfig: raspConfig,
    eventsConfig: eventConfig,
    customerGroupingConfig: nil // Configuration of customer grouping and naming in the web application.
)

Available RASP Configuration Items

Item	Description
`jailbreak: DetectionConfig`	defines the behavior of automatic jailbreak detection. Defaults to `.notify`.
`debugger: DebuggerDetectionConfig`	defines the behavior of automatic debugger detection. Defaults to `.notify`.
`reverseEngineeringTools: DetectionConfig`	defines the behavior of automatic reverse engineering tools detection. Defaults to `.notify`.
`httpProxy: DetectionConfig`	defines the behavior of automatic HTTP proxy detection. Defaults to `.notify`.
`repackage: RepackageConfig`	defines the behavior of automatic repackaging detection. Defaults to `.noAction([])`.
`screenCapture: ScreenCaptureDetectionConfig`	defines the behavior of automatic screen capturing detection. Defaults to `.notify`.
`vpnDetection: DetectionConfig`	defines the behavior of automatic VPN detection. Defaults to `.notify`.
`callDetection: SimpleDetectionConfig`	defines the behavior of automatic call detection. Defaults to `.notify`.
`appPresence: AppPresenceDetectionConfig`	defines the behavior of automatic app presence detection. Defaults to `.manual`.

The behavior of all the configuration items can be summarized with these rules:

The .noAction values turn the corresponding feature off. In some cases detection data can be manually obtained through AppProtectionRasp protocol.
The .notify values cause the delegate (and remote server when configured) to be notified about the corresponding detection.
The .exit(exitUrl: String?) values cause the app to be terminated when the corresponding “positive” detection of the feature is detected. The exitUrl parameters define URLs to be opened in the system web browser when the app is terminated as a result of the corresponding detection.

Detailed information about these configuration items can be found on the documentation pages of individual features.

How to Configure App Presence

App presence allows you to verify whether a specific app is installed on a device. To successfully detect such an application, you need to configure the AppProtectionRaspConfig with the appPresence parameter.

In addition to that, you also need to add a query URL scheme to your application Info.plist.

For example, if you want to add detection for AnyDesk application, you need to configure the appPresense parameter with appPresence: .notify([.KnownApps.anyDesk]) and then add anydesk scheme into your Info.plist Queried URL Schemes item.

You can add anydesk scheme to the query with these few steps:

Open your Xcode project.
In the Project Navigator, find your app’s Info.plist file and open it.
Click the “+” button in the top-right corner of the Info.plist editor.
In the new row, set the key to “Queried URL Schemes”
Click the arrow next to “Queried URL Schemes” to expand it.
Click the “+” button next to “Queried URL Schemes” and add anydesk scheme.
Save your changes.

By following these steps, you’ll configure app presence for your application to detect the presence of specific apps, like AnyDesk.

Obtaining Detection Results

When Malwarelytics for Apple is initialized with certain configurations, the RASP features can be accessed through AppProtectionRaspDelegate or by proactively checking for the status of a certain feature.

Observing RASP Detections

An observer can be registered in AppProtectionRasp to notify the app about any RASP detection change.

// Set the delegate to the existing `AppProtectionService` instance
// to obtain RASP callbacks
appProtection.rasp.addDelegate(self)

Delegate then receives the following callbacks:

func debuggerDetected() {
    // react to a debugger
}

func jailbreakDetected() {
    // react to jailbreak
}

func repackageDetected() {
    // react to repackage
}

func httpProxyEnabled() {
    // react to HTTP proxy enabled
}

func userScreenshotDetected() {
    // react to user screenshot
}

func reverseEngineeringToolsDetected() {
    // react to reverse engineering tools
}

func systemPasscodeConfigurationChanged(enabled: Bool) {
    // react to system passcode change
}

func systemBiometryConfigurationChanged(enabled: Bool) {
    // react to biometry configuration changed
}

func screenCapturedChanged(isCaptured: Bool) {
    // react to screen capturing (casting to different device)
}

func vpnChanged(active: Bool) {
    // react to VPN state changes
}

func onCallChanged(isOnCall: Bool) {
    // react to call change
}
	
func installedAppsChanged(installedApps: [DetectableApp]) {
    // installed apps list has changed
}

Triggering RASP Checks Manually

All the RASP checks can be triggered manually in AppProtectionRasp. There are mostly methods for a simple boolean answer. Only app presence detection provides more detailed information.

// root detection
let isJailbroken = appProtection.rasp.isJailbroken

// debugger
let isDebuggerConnected = appProtection.rasp.isDebuggerConnected

// repackaging
let isRepackaged = appProtection.rasp.isRepackaged

// screen sharing
let isScreenCaptured = appProtection.rasp.isScreenCaptured

// system passcode
let isSystemPasscodeEnabled = appProtection.rasp.isSystemPasscodeEnabled

// system biometry
let isSystemBiometryEnabled = appProtection.rasp.isSystemBiometryEnabled

// simulator build
let isEmulator = appProtection.rasp.isEmulator

// reverse engineering
let isReverseEngineeringToolsPresent = appProtection.rasp.isReverseEngineeringToolsPresent

// http proxy present
let isHttpProxyEnabled = appProtection.rasp.isHttpProxyEnabled

// VPN active
let isVpnActive = appProtection.rasp.isVpnActive

// on call
let isOnCall = appProtection.rasp.isOnCall

// detected apps
let detectedApps = appProtection.rasp.installedApps