Select release
Introduction

Home

Installation

Configuration

Advanced Topics

Client Identification Change

Repackaging Detection

Android Antivirus Feature

Configuration of the Antivirus UI

Android Native Library

Apple Native Library

RASP Feature Overview

Edit on Github Send Feedback v4.0.0

RASP (runtime application self-protection) features to protect the app against several attack vectors.

Android platform

Currently, Malwarelytics for Android offers the following RASP features:

  • Root Detection
  • Emulator Detection
  • Repackaging Detection
  • Debugger Protection
  • Predefined and Custom Events
  • Screenshot Blocking
  • Screen Reader Blocking
  • Tapjacking Protection
  • Detection of App Installation Source
  • Detection of Screen Lock Usage
  • Detection of Play Protect Status
  • Changing of app’s Process Name
  • HTTP Proxy Detection

Apple platform

Currently, Malwarelytics for Apple covers the following RASP problems:

  • Jailbroken devices
  • Attached debuggers
  • Application repackaging
  • Reverse engineering tools
  • Active HTTP proxy
  • Screen sharing
  • Screenshots
  • System passcode status change
  • System biometry configuration change

Configuring Detections

To configure RASP detections, use the androidConfig.rasp and appleConfig.rasp properties during the initialization of the SDK:

// Note that all the folowing configurations are optional, you can pass empty object {} and it will work.
// It is recommended to  set your client id though to identify the user.
await window.plugins.malwarelytics.initialize({
    // Configuration for the Android platform
    androidConfig: {
        rasp: { // configiration of the Runtime Application Self Protection
            checkEmulator: true, // to enable observer reports
            exitOnEmulator: true, // do not exit when on emulator
            checkRoot: true, // to enable observer reports
            exitOnRoot: true, // do not exit when the device is rooted
            exitOnRootMinConfidence: 1, // exit only when we're sure
            checkHttpProxy: true, // to be notified when http proxy is enabled
            exitOnHttpProxy: false, // disable exit on http proxy
            checkDebugger: true, // to enable observer reports
            exitOnDebugger: true, // exit when debugger is connected
            checkRepackaging: true, // to enable observer reports
            exitOnRepackaging: true, // exit when the app is repackaged
            signatureHash: "....", // hash of the apps signature
            checkScreenSharing: true, // to enable observer reports
            exitOnScreenSharing: false, // do not exit the app when screen sharing is on
            blockScreenshots: true, // block screenshots
            blockScreenReaders: true, // disable screen readers
            allowedScreenReaders: [], // list of alowed screen readers
            customProcessName: null, // can set custom process name
            useStealthyProcessName: true, // use random process name
            blockTapjacking: true, // block tapjacking
            blockTapjackingSensitivity: "HIGHLY_DANGEROUS" // block tapjacking for highly dangerous and malware apps
        }
    },

    // Configuration for the Apple platform
    appleConfig: {
        rasp: { // configiration of the Runtime Application Self Protection
            // when the device is jalibreaked, exit and show url
            jailbreak: { action: "EXIT", exitUrl: "https://wultra.com?exit=jalibreak" },
            // when debugger is connected, exit and show url
            debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
            // when reverse engineering tools are present, notify via the observer
            reverseEngineeringTools: { action: "NOTIFY" },
            // when HTTP proxy is on, notify via the observer
            httpProxy: { action: "NOTIFY" },
            // when the app is repackaged, exit and show url
            repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackaged", base64EncodedTrustedCertificates: ["BASE64encodedcert"]},
            // when screen is being captured, notify via the observer
            screenCapture: { action: "NOTIFY" }
        }
    }
});

Obtaining Detection Results

When Malwarelytics initialized with certain configurations, the RASP features can be accessed through observers or by proactively checking for status of a certain feature.

Observing RASP Detections

When a RASP event occurs (when the debugger is trying to connect to the app for example), the observer is notified (when configured in such a way). You can set observers for both Android and Apple platforms.

// Android observer
let observer: MalwarelyticsAndroidRASPObserver = {
    debuggerDetected(detected: boolean) { console.log("RASP DEBUGGER DETECTED " + detected); },
    emulatorDetected(emulatorDetection: EmulatorDetection) { console.log("RASP EMULATOR DETECTED " + JSON.stringify(emulatorDetection)); },
    repackagingDetected(repackagingResult: RepackagingResult) {console.log("RASP REPACKAGING DETECTED " + JSON.stringify(repackagingResult)); },
    rootDetected(rootDetection: RootDetection) { console.log("RASP ROOT DETECTED " + JSON.stringify(rootDetection)); },
    screenSharingDetected(screenSharingDetected: boolean){ console.log("RASP SCREEN SHARING DETECTED " + screenSharingDetected); },
    tapjackingDetected(tapjackingDetection: TapjackingDetection) { console.log("RASP TAPJACKING DETECTED " + JSON.stringify(tapjackingDetection)); },
    httpProxyDetected(httpProxyDetection: HttpProxyDetection) { console.log("HTTP PROXY DETECTED " + JSON.stringify(httpProxyDetection)); }
}

window.plugins.malwarelytics.android.rasp.setObserver(observerAndroid);

// Apple observer
let observerApple: MalwarelyticsAppleRASPObserver = {
    debuggerDetected() { alert("Debugger detected ") },
    jailbreakDetected() { alert("Jailbreak detected") },
    repackageDetected() { alert("Repackaging detected") },
    httpProxyEnabled() { alert("HTTP proxy detected") },
    userScreenshotDetected() { alert("Screenshot detected") },
    screenCapturedChanged(isCaptured: boolean) { alert("Screen capture changed to " + isCaptured) },
    reverseEngineeringToolsDetected() { alert("Reverse Engineering Tools Detedted") },
    systemPasscodeConfigurationChanged(enabled: boolean) { alert("Device Passcode changed to " + enabled) },
    systemBiometryConfigurationChanged(enabled: boolean) { alert("Device Biometry changed to " + enabled) }
}

window.plugins.malwarelytics.apple.rasp.setObserver(observerApple);

Triggering RASP Checks Manually

All the RASP checks can be triggered manually. There are mostly two methods for the checks.

if (device.platform == "Android") {
    const rootDetection = await window.plugins.malwarelytics.android.rasp.getRootDetection();
    const isDeviceRooted = await window.plugins.malwarelytics.android.rasp.isDeviceRooted();
    // etc...
} else if (device.platform == "iOS") {
    const isDebuggerConnexcted = await window.plugins.malwarelytics.apple.rasp.isDebuggerConnected();
    const isJailbroken = await window.plugins.malwarelytics.apple.rasp.isDeviceJailbroken();
    // etc...
}
Last updated on Apr 25, 2022 (12:09) Edit on Github Send Feedback
On this page:
Search

4.0.x

Malwarelytics for Cordova