RASP Feature Overview

RASP (runtime application self-protection) features protect the app against several attack vectors.

Currently, Malwarelytics for Apple covers the following problems:

  • jailbroken devices
  • attached debuggers
  • application repackaging
  • reverse engineering tools
  • active HTTP proxy
  • screen sharing
  • screenshots
  • system passcode status change
  • system biometry configuration change

Configuring Detections

RASP detections are configured via AppProtectionRaspConfig and AppProtectionEventConfig classes that are a part of the AppProtectionConfig.

To configure RASP detections, use:

// Prepare the RASP feature configuration
let raspConfig = AppProtectionRaspConfig(
    jailbreak: .exit("https://myurl.com/jalibreak-explained"), // exit on jailbroken phone
    debugger: .block, // block debugger
    reverseEngineeringTools: .notify, // let me know when user installed revers engineering tools
    httpProxy: .notify, // notify me via delegate when http proxy is enabled
    repackage:.exit([AppProtectionTrustedCert(withBase64EncodedString: "BASE_64_ENCODED_CERT")!], "https://myurl.com/repackage-explained"), // follow documentation how to obtain certificate string
    screenCapture: .notify // notify me via delegate when user takes a screenshot
// Prepare the configuration for events
let eventConfig = AppProtectionEventConfig(
    enableEventCollection: true, // enable event collection in general
    enableAppLifecycleCollection: true, // track lifecycle events in the Malwarelytics console on the server
    enableScreenshotTakenCollection: true // /track screenshot events in the Malwarelytics console on the server
// Prepare a configuration for service
let config = AppProtectionConfig(
    username: "$USERNAME", // username for the Malwarelytics service
    password: "$PASSWORD", // password for the Malwarelytics service
    signaturePublicKey: "$PUBKEY", // public key for the Malwarelytics service
    clientIdentification: nil, // user identification (unique within your systems)
    raspConfig: raspConfig,
    eventsConfig: eventConfig,
    customerGroupingConfig: nil // Configuration of customer grouping and naming in the web application.

Obtaining Detection Results

When Malwarelytics for Apple is initialized with certain configurations, the RASP features can be accessed through AppProtectionRaspDelegate or by proactively checking for status of a certain feature.

Observing RASP Detections

An observer can be registered in RaspManager to notify the app about any RASP detection change.

// Set the delegate to existing `AppProtectionService` instance
// to obtain RASP callbacks

Delegate then receives the following callbacks:

func debuggerDetected() {
    // react to debugger

func jailbreakDetected() {
    // react to jailbreak

func repackageDetected() {
    // react to repackage

func httpProxyEnabled() {
    // react to http proxy enabled

func userScreenshotDetected() {
    // react to user screenshot

func reverseEngineeringToolsDetected() {
    // react to reverse engineering tools

func systemPasscodeConfigurationChanged(enabled: Bool) {
    // react to system passcode change

func systemBiometryConfigurationChanged(enabled: Bool) {
    // react to biometry configuration changed

func screenCapturedChanged(isCaptured: Bool) {
    // react to screen capturing (casting to different device)

Triggering RASP Checks Manually

All the RASP checks can be triggered manually in RaspManager. There are mostly two methods for the checks. One for simple boolean answer and one for a more detailed information.

// root detection
let isJailbroken = appProtection.rasp.isJailbroken

// debugger
let isDebuggerConnected = appProtection.rasp.isDebuggerConnected

// repackaging
let isRepackaged = appProtection.rasp.isRepackaged

// screen sharing
let isScreenCaptured = appProtection.rasp.isScreenCaptured

// system passcode
let isSystemPasscodeEnabled = appProtection.rasp.isSystemPasscodeEnabled

// system biometry
let isSystemBiometryEnabled = appProtection.rasp.isSystemBiometryEnabled

// simulator build
let isEmulator = appProtection.rasp.isEmulator

// reverse engineering
let isReverseEngineeringToolsPresent = appProtection.rasp.isReverseEngineeringToolsPresent

// http proxy present
let isHttpProxyEnabled = appProtection.rasp.isHttpProxyEnabled
Last updated on Feb 11, 2022 (10:00) View product



Malwarelytics for Apple