RASP Feature Overview
RASP (runtime application self-protection) features to protect the app against several attack vectors.
Android platform
Currently, Malwarelytics for Android offers the following RASP features:
- Root Detection
- Emulator Detection
- Debugger Protection
- Repackaging Detection
- Screen Sharing Detection
- Screenshot Blocking
- Screen Reader Blocking
- Tapjacking Protection
- Detection of App Installation Source
- Detection of Screen Lock Usage
- Detection of Play Protect Status
- Changing of App’s Process Name
- HTTP Proxy Detection
- VPN Detection
- Detection of ADB Status
- Detection of Developer Options Status
- Detection of Biometry Status
- Active Call Detection
More about RASP features available for Android platform can be found in the documentation of the native library.
Apple platform
Currently, Malwarelytics for Apple covers the following RASP problems:
- Jailbreak Detection
- Debugger Detection
- Repackaging Detection
- Reverse Engineering Tools Detection
- HTTP Proxy Detection
- Screen Sharing Detection
- Screenshot Detection
- System Passcode Status Change
- System Biometry Status Change
- VPN Detection
- Active Call Detection
More about RASP features available for Apple platform can be found in the documentation of the native library.
Configuring Detections
To configure RASP detections, use the androidConfig.rasp and appleConfig.rasp properties during the initialization of the SDK:
// Note that all the folowing configurations are optional, you can pass empty object {} and it will work.
// It is recommended to set your client id though to identify the user.
await window.plugins.malwarelytics.initialize({
// Configuration for the Android platform
androidConfig: {
raspConfig: { // configiration of the Runtime Application Self Protection
// when the device is an emulator, exit and show url
emulator: { action: "EXIT", exitUrl: "https://wultra.com?exit=emulator" },
// when the device is rooted, exit and show url
root: { action: "EXIT", exitUrl: "https://wultra.com?exit=root", exitOnRootMinConfidence: 1 },
// when a debugger is attached, exit and show url
debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
// when the app is repackaged, exit and show url
repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackage", signatureHash: ["..."] },
// when screen is shared, notify via the observer
screenSharing: { action: "NOTIFY" },
// block screenshots
screenshot: { action: "BLOCK" },
// block screenreaders, use the built-in list of allowed screenreaders (legitimate accessibility apps)
screenReader: { action: "BLOCK" },
// change process name to a stealthy name
processName: { action: "USE_STEALTHY" },
// block tapjacking apps which are HIGHLY_DANGEROUS or MALWARE, don't ignore system apps, don't allow any app exceptions
tapjacking: { action: "BLOCK", blockTapjackingSensitivity: "HIGHLY_DANGEROUS", ignoreTapjackingSystemApps: false, allowedTapjackingApps: [] },
// when HTTP proxy changes, notify via the observer
httpProxy: { action: "NOTIFY" },
// when VPN changes, notify via the observer
vpn: { action: "NOTIFY" },
// when ADB is on, notify via the observer
adb: { action: "NOTIFY" },
// when active call is started or ended, notify via the observer
activeCall: { action: "NOTIFY" }
}
},
// Configuration for the Apple platform
appleConfig: {
raspConfig: { // configiration of the Runtime Application Self Protection
// when the device is jalibreaked, exit and show url
jailbreak: { action: "EXIT", exitUrl: "https://wultra.com?exit=jalibreak" },
// when debugger is connected, exit and show url
debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
// when reverse engineering tools are present, notify via the observer
reverseEngineeringTools: { action: "NOTIFY" },
// when HTTP proxy is on, notify via the observer
httpProxy: { action: "NOTIFY" },
// when the app is repackaged, exit and show url
repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackaged", base64EncodedTrustedCertificates: ["BASE64encodedcert"]},
// when screen is being captured, notify via the observer
screenCapture: { action: "NOTIFY" },
// when VPN is on, notify via the observer
vpnChanged: { action: "NOTIFY" },
// when there's an ongoing call, notify via the observer
callDetection: { action: "NOTIFY" }
}
}
});
Obtaining Detection Results
When Malwarelytics initialized with certain configurations, the RASP features can be accessed through observers or by proactively checking for status of a certain feature.
Observing RASP Detections
When a RASP event occurs (when the debugger is trying to connect to the app for example), the observer is notified (when configured in such a way). You can set observers for both Android and Apple platforms.
// Android observer
let observer: MalwarelyticsAndroidRASPObserver = {
debuggerDetected(detected: boolean) { console.log("RASP DEBUGGER DETECTED " + detected); },
emulatorDetected(emulatorDetection: EmulatorDetection) { console.log("RASP EMULATOR DETECTED " + JSON.stringify(emulatorDetection)); },
repackagingDetected(repackagingResult: RepackagingResult) {console.log("RASP REPACKAGING DETECTED " + JSON.stringify(repackagingResult)); },
rootDetected(rootDetection: RootDetection) { console.log("RASP ROOT DETECTED " + JSON.stringify(rootDetection)); },
screenSharingDetected(screenSharingDetected: boolean){ console.log("RASP SCREEN SHARING DETECTED " + screenSharingDetected); },
tapjackingDetected(tapjackingDetection: TapjackingDetection) { console.log("RASP TAPJACKING DETECTED " + JSON.stringify(tapjackingDetection)); },
httpProxyDetected(httpProxyDetection: HttpProxyDetection) { console.log("HTTP PROXY DETECTED " + JSON.stringify(httpProxyDetection)); },
vpnDetected(vpnEnabled: boolean) { console.log("RASP VPN DETECTED " + vpnEnabled); },
adbStatusDetected(adbStatus: boolean) { console.log("ADB STATUS DETECTED " + adbStatus); },
activeCallDetected(activeCallDetection: ActiveCallDetection) { console.log("RASP ACTIVE CALL DETECTED " + JSON.stringify(activeCallDetection)); }
}
window.plugins.malwarelytics.android.rasp.setObserver(observerAndroid);
// Apple observer
let observerApple: MalwarelyticsAppleRASPObserver = {
debuggerDetected() { alert("Debugger detected ") },
jailbreakDetected() { alert("Jailbreak detected") },
repackageDetected() { alert("Repackaging detected") },
httpProxyEnabled() { alert("HTTP proxy detected") },
userScreenshotDetected() { alert("Screenshot detected") },
screenCapturedChanged(isCaptured: boolean) { alert("Screen capture changed to " + isCaptured) },
reverseEngineeringToolsDetected() { alert("Reverse Engineering Tools Detedted") },
systemPasscodeConfigurationChanged(enabled: boolean) { alert("Device Passcode changed to " + enabled) },
systemBiometryConfigurationChanged(enabled: boolean) { alert("Device Biometry changed to " + enabled) },
vpnChanged(active: boolean) { alert("VPN changed: " + active) },
onCallChanged(isOnCall: boolean) { alert("OnCall: " + isOnCall) }
}
window.plugins.malwarelytics.apple.rasp.setObserver(observerApple);
Triggering RASP Checks Manually
All the RASP checks can be triggered manually. There are mostly two methods for the checks.
if (device.platform == "Android") {
const rootDetection = await window.plugins.malwarelytics.android.rasp.getRootDetection();
const isDeviceRooted = await window.plugins.malwarelytics.android.rasp.isDeviceRooted();
// etc...
} else if (device.platform == "iOS") {
const isDebuggerConnexcted = await window.plugins.malwarelytics.apple.rasp.isDebuggerConnected();
const isJailbroken = await window.plugins.malwarelytics.apple.rasp.isDeviceJailbroken();
// etc...
}
Read Next
Last updated on Sep 21, 2023 (16:46)
Edit on Github
Send Feedback