Configuration
The minimum configuration for Malwarelytics is setting up the username, password, and public key in the malwarelytics.xml (for each platform Android/iOS). However, we recommend configuring all features that are present in the SDK.
The Username, Password, and Signature Public Key can be obtained in the Malwarelytics console. Note that these credentials are bound to your application Package Name/Bundle ID. If you need to support multiple environments (Package names/Bundle IDs), you need different credentials for each environment.
Environment
Malwarelytics offers three environment configurations:
PRODUCTION(default value) for production buildsTESTfor development and test buildsCUSTOMfor custom/private server environments
The environment is configured in malwarelytics.xml. Different environments require different access credentials.
Custom Environment with Custom Server URL
If you need to use a custom server URL (e.g., for testing or private deployments):
- Set
environment="CUSTOM"in the<service>element (both Android and Apple) - Add
customEnvironmentUrl="https://your-custom-url.com"attribute - (Android only) Optionally add
customEnvironmentUrlCertificatePins="base64pin1,base64pin2"for SSL pinning
Note: SSL certificate pinning is only supported on Android. Apple platforms ignore the
customEnvironmentUrlCertificatePinsattribute.
The environment can also be overridden at runtime via JavaScript onlineConfig.environment. If set in JavaScript, it takes priority over the XML configuration.
Configuring the Service
To enable Malwarelytics in your Cordova app, you need to call the initialize method with the following configuration object. All properties are optional.
// Note that all the following configurations are optional, you can pass empty object {} and it will work.
// It is recommended to set your client ID to identify the user.
await window.plugins.malwarelytics.initialize({
clientId: "your-client-id", // To identify the user. Can be changed later.
deviceId: "your-client-id", // To identify the users phone. Can be changed later.
// Configuration for the Android platform
androidConfig: {
languageCode: "en", // Language of the UI (for smart protection)
antivirusConfig: { // Configuration of the antivirus component
enableAntivirus: true, // Whether to disable AV feature
enableSilentMode: false, // Silent mode enabled = no UI
onlineCheckIntervalHours: 48, // Check for updates every 48 hours
updateOnInitialize: true // The virus database will be updated on the startup
},
raspConfig: { // configuration of the Runtime Application Self-Protection
emulator: {
action: "NOTIFY" // to enable observer reports, but don't exit when on an emulator
},
root: {
action: "EXIT", // to exit when the device is rooted
exitUrl: "https://wultra.com", // web URL to be opened when the app is terminated
exitOnRootMinConfidence: 1 // exit only when we are sure
},
debugger: {
action: "EXIT", // to exit when a debugger is connected
exitUrl: "https://wultra.com", // web URL to be opened when the app is terminated
},
repackage: {
action: "EXIT", // to exit when the app is repackaged
exitUrl: "https://wultra.com", // web URL to be opened when the app is terminated
signatureHash: ["a9fe....6d94"] // hash of the apps signature (Base64-encoded SHA-1 hash)
},
screenSharing: {
detectionAction: "NOTIFY", // to enable observer reports
blockAction: "BLOCK" // to block screen sharing on secondary displays
},
screenshot: {
blockAction: "BLOCK" // to block screenshots
detectionAction: "NOTIFY" // to notify about screenshots (only on Android 14+)
},
screenReader: {
action: "BLOCK", // disable screen readers
allowedScreenReaders: [{packageName: "com.google.android.marvin.talkback", signatureHash: "9b424c2d27ad51a42a337e0bb6991c76eca44461"}] // allowed screenreaders, when not set the default list of frequently used legitimate screenreaders is used
},
screenRecording: {
action: "NOTIFY" // to enable observer reports for screen recording (Android 15+)
},
emulatedInput: {
action: "BLOCK" // to block emulated input from accessibility clickers and ADB
},
processName: {
action: "USE_STEALTHY" // use stealthy process name
customProcessName: "my.stealthy.packagename" // to use custom value, random value is used otherwise
},
tapjacking: {
action: "BLOCK", // to block tapjacking
blockTapjackingSensitivity: "HIGHLY_DANGEROUS", // block tapjacking for highly dangerous and malware apps
ignoreTapjackingSystemApps: false, // whether to ignore system apps in blocking tapjacking
allowedTapjackingApps: [] // list of apps capable of tapjacking that will be ignored
},
httpProxy: {
action: "NOTIFY" // to enable observer reports
},
vpn: {
action: "NOTIFY" // to enable observer reports
},
adb: {
action: "NOTIFY" // to enable observer reports
},
activeCall: {
action: "NOTIFY" // to enable observer reports
},
appPresence: {
action: "NOTIFY",
remoteDesktopApps: [
{
displayName: "AnyDesk",
packageName: "com.anydesk.anydeskandroid"
}
]
},
sendInfoOutputs: true // whether to send outputs of RASP info methods to the remote server
},
customerGrouping: {
// Customer grouping is an advanced technique that is described in separate documentation topic
sourcePackageName: null,
appPackageName: null,
audienceGroupId: null
},
fingerprint: "SAFE",
onlineConfig: {
// Optional: Runtime override for environment configuration.
// If set, this takes priority over the environment configured in malwarelytics.xml.
environment: {
type: "URL", // "PRODUCTION", "TEST", or "URL"
url: "https://custom.example.com", // Required when type is "URL"
certificatePins: ["base64hash1", "base64hash2"] // Optional SSL pinning
}
}
},
// Configuration for the Apple platform
appleConfig: {
raspConfig: { // configuration of the Runtime Application Self-Protection
// when the device is jailbroken, exit and show the URL
jailbreak: { action: "EXIT", exitUrl: "https://wultra.com?exit=jalibreak" },
// when a debugger is connected, exit and show the URL
debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
// when reverse engineering tools are present, notify the observer
reverseEngineeringTools: { action: "NOTIFY" },
// when an HTTP proxy is on, notify the observer
httpProxy: { action: "NOTIFY" },
// when the app is repackaged, exit and show the URL
repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackaged", base64EncodedTrustedCertificates: ["BASE64encodedcert"]},
// when the screen is being captured, notify the observer
screenCapture: { action: "NOTIFY" },
// when VPN is on, notify the observer
vpnChanged: { action: "NOTIFY" },
// when there's an ongoing call, notify the observer
callDetection: { action: "NOTIFY" },
// when iOS is about to create an app switcher screenshot, notify the observer
systemScreenshot: { action: "NOTIFY", trigger: "BACKGROUND" }
},
onlineConfig: {
eventsConfig: {
enableEventCollection: true, // enable event collection (like app turned on/off)
enableScreenshotTakenCollection: true // enable screenshot event collection
},
customerGrouping: {
// Customer grouping is an advanced technique that is described in separate documentation topic
sourceBundleId: null,
appBundleId: null,
audienceGroupId: null
},
environment: {
type: "URL",
url: "https://your-malwarelytics.example.com"
}
}
}
});
Customer Grouping and Naming
The SDK allows passing custom values that are used to group data in the Malwarelytics web console application.
The configuration items in MalwarelyticsConfig.android.customerGrouping and MalwarelyticsConfig.android.customerGrouping add extra metadata that is passed into the web console.
The data allows us to split data into groups and obtain different views on the data.
Limitations for the strings are the following:
- Max length of the
sourceBundleId/sourcePackageNameis 255 characters - Max length of the
appBundleId/appPackageNameis 255 characters - Max length of the
audienceGroupId/audienceGroupIdis 20 characters
The main grouping of the data is achieved with sourceBundleId/sourcePackageName. The value has to agree with the application credentials in the web console.
The extra granularity of data views is achieved with appBundleId/appPackageName.
The last option audienceGroupId is used to distinguish users from different customer systems such as “RETAIL”, “CORPORATE” and so on.