RASP Feature Overview

RASP (runtime application self-protection) features protect the app against several attack vectors.

Currently, Malwarelytics for Apple covers the following problems:

  • jailbroken devices
  • attached debuggers
  • application repackaging
  • reverse engineering tools
  • active HTTP proxy
  • screen sharing
  • screenshots
  • system passcode status change
  • system biometry configuration change

Configuring Detections

RASP detections are configured via AppProtectionRaspConfig and AppProtectionEventConfig classes that are a part of the AppProtectionConfig.

To configure RASP detections, use:

// Prepare the RASP feature configuration
let raspConfig = AppProtectionRaspConfig(
    jailbreak: .exit("https://myurl.com/jalibreak-explained"), // exit on jailbroken phone
    debugger: .block, // block debugger
    reverseEngineeringTools: .notify, // let me know when user installed revers engineering tools
    httpProxy: .notify, // notify me via delegate when http proxy is enabled
    repackage:.exit([AppProtectionTrustedCert(withBase64EncodedString: "BASE_64_ENCODED_CERT")!], "https://myurl.com/repackage-explained"), // follow documentation how to obtain certificate string
    screenCapture: .notify // notify me via delegate when user takes a screenshot
)
    
// Prepare the configuration for events
let eventConfig = AppProtectionEventConfig(
    enableEventCollection: true, // enable event collection in general
    enableAppLifecycleCollection: true, // track lifecycle events in the Malwarelytics console on the server
    enableScreenshotTakenCollection: true // /track screenshot events in the Malwarelytics console on the server
)
    
// Prepare a configuration for service
let config = AppProtectionConfig(
    username: "$USERNAME", // username for the Malwarelytics service
    password: "$PASSWORD", // password for the Malwarelytics service
    signaturePublicKey: "$PUBKEY", // public key for the Malwarelytics service
    clientIdentification: nil, // user identification (unique within your systems)
    raspConfig: raspConfig,
    eventsConfig: eventConfig,
    customerGroupingConfig: nil // Configuration of customer grouping and naming in the web application.
)

Obtaining Detection Results

When Malwarelytics for Apple is initialized with certain configurations, the RASP features can be accessed through AppProtectionRaspDelegate or by proactively checking for status of a certain feature.

Observing RASP Detections

An observer can be registered in RaspManager to notify the app about any RASP detection change.

// Set the delegate to existing `AppProtectionService` instance
// to obtain RASP callbacks
appProtection.rasp.addDelegate(self)

Delegate then receives the following callbacks:

func debuggerDetected() {
    // react to debugger
}

func jailbreakDetected() {
    // react to jailbreak
}

func repackageDetected() {
    // react to repackage
}

func httpProxyEnabled() {
    // react to http proxy enabled
}

func userScreenshotDetected() {
    // react to user screenshot
}

func reverseEngineeringToolsDetected() {
    // react to reverse engineering tools
}

func systemPasscodeConfigurationChanged(enabled: Bool) {
    // react to system passcode change
}

func systemBiometryConfigurationChanged(enabled: Bool) {
    // react to biometry configuration changed
}

func screenCapturedChanged(isCaptured: Bool) {
    // react to screen capturing (casting to different device)
}

Triggering RASP Checks Manually

All the RASP checks can be triggered manually in RaspManager. There are mostly two methods for the checks. One for simple boolean answer and one for a more detailed information.

// root detection
let isJailbroken = appProtection.rasp.isJailbroken

// debugger
let isDebuggerConnected = appProtection.rasp.isDebuggerConnected

// repackaging
let isRepackaged = appProtection.rasp.isRepackaged

// screen sharing
let isScreenCaptured = appProtection.rasp.isScreenCaptured

// system passcode
let isSystemPasscodeEnabled = appProtection.rasp.isSystemPasscodeEnabled

// system biometry
let isSystemBiometryEnabled = appProtection.rasp.isSystemBiometryEnabled

// simulator build
let isEmulator = appProtection.rasp.isEmulator

// reverse engineering
let isReverseEngineeringToolsPresent = appProtection.rasp.isReverseEngineeringToolsPresent

// http proxy present
let isHttpProxyEnabled = appProtection.rasp.isHttpProxyEnabled
Last updated on Feb 11, 2022 (10:00) View product
Search

2022.02

Malwarelytics

Malwarelytics for Apple