Skip to content

Latest commit

 

History

History
187 lines (161 loc) · 9.56 KB

RASP-Feature-Overview.md

File metadata and controls

187 lines (161 loc) · 9.56 KB

RASP Feature Overview

RASP (runtime application self-protection) features to protect the app against several attack vectors.

Android platform

Currently, Malwarelytics for Android offers the following RASP features:

  • Root Detection
  • Emulator Detection
  • Debugger Protection
  • Repackaging Detection
  • Screen Sharing Detection
  • Tapjacking Protection
  • Changing of App’s Process Name
  • HTTP Proxy Detection
  • VPN Detection
  • Detection of ADB Status
  • Active Call Detection
  • App Presence Detection
  • Screenshot Blocking
  • Screen Reader Blocking
  • Detection of Screen Lock Usage
  • Detection of Biometry Status
  • Detection of Play Protect Status
  • Detection of Developer Options Status

More about RASP features available for Android platform can be found in the documentation of the native library.

Apple platform

Currently, Malwarelytics for Apple covers the following RASP problems:

  • Jailbreak Detection
  • Debugger Detection
  • Repackaging Detection
  • Reverse Engineering Tools Detection
  • HTTP Proxy Detection
  • Screen Sharing Detection
  • Screenshot Detection
  • System Passcode Status Change
  • System Biometry Status Change
  • VPN Detection
  • Active Call Detection
  • App Presence Detection

More about RASP features available for Apple platform can be found in the documentation of the native library.

Configuring Detections

To configure RASP detections, use the androidConfig.rasp and appleConfig.rasp properties during the initialization of the SDK:

// Note that all the folowing configurations are optional, you can pass empty object {} and it will work.
// It is recommended to  set your client id though to identify the user.
await window.plugins.malwarelytics.initialize({
    // Configuration for the Android platform
    androidConfig: {
        raspConfig: { // configiration of the Runtime Application Self Protection
            // when the device is an emulator, exit and show url
            emulator: { action: "EXIT", exitUrl: "https://wultra.com?exit=emulator" },
            // when the device is rooted, exit and show url
            root: { action: "EXIT", exitUrl: "https://wultra.com?exit=root", exitOnRootMinConfidence: 1 },
            // when a debugger is attached, exit and show url
            debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
            // when the app is repackaged, exit and show url
            repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackage", signatureHash: ["..."] },
            // when screen is shared, notify via the observer
            screenSharing: { action: "NOTIFY" },
            // block screenshots
            screenshot: { blockAction: "BLOCK", detectionAction: "NOTIFY" },
            // block screenreaders, use the built-in list of allowed screenreaders (legitimate accessibility apps)
            screenReader: { action: "BLOCK" },
            // change process name to a stealthy name
            processName: { action: "USE_STEALTHY" },
            // block tapjacking apps which are HIGHLY_DANGEROUS or MALWARE, don't ignore system apps, don't allow any app exceptions
            tapjacking: { action: "BLOCK", blockTapjackingSensitivity: "HIGHLY_DANGEROUS", ignoreTapjackingSystemApps: false, allowedTapjackingApps: [] },
            // when HTTP proxy changes, notify via the observer
            httpProxy: { action: "NOTIFY" },
            // when VPN changes, notify via the observer
            vpn: { action: "NOTIFY" },
            // when ADB is on, notify via the observer
            adb: { action: "NOTIFY" },
            // when active call is started or ended, notify via the observer
            activeCall: { action: "NOTIFY" },
            // when there's an app present, notify via the observer
            appPresence: { action: "NOTIFY", remoteDesktopApps: [
                { displayName: "AnyDesk", packageName: "com.anydesk.anydeskandroid"}
            ] },
            // whether to send outputs of RASP info methods to the remote server
            sendInfoOutputs: true
        }
    },

    // Configuration for the Apple platform
    appleConfig: {
        raspConfig: { // configiration of the Runtime Application Self Protection
            // when the device is jalibreaked, exit and show url
            jailbreak: { action: "EXIT", exitUrl: "https://wultra.com?exit=jalibreak" },
            // when debugger is connected, exit and show url
            debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
            // when reverse engineering tools are present, notify via the observer
            reverseEngineeringTools: { action: "NOTIFY" },
            // when HTTP proxy is on, notify via the observer
            httpProxy: { action: "NOTIFY" },
            // when the app is repackaged, exit and show url
            repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackaged", base64EncodedTrustedCertificates: ["BASE64encodedcert"]},
            // when screen is being captured, notify via the observer
            screenCapture: { action: "NOTIFY" },
            // when VPN is on, notify via the observer
            vpnChanged: { action: "NOTIFY" },
            // when there's an ongoing call, notify via the observer
            callDetection: { action: "NOTIFY" },
            // when there's an app present, notify via the observer
            appPresence: { action: "NOTIFY", apps: knownApps }
        }
    }
});

Obtaining Detection Results

When Malwarelytics initialized with certain configurations, the RASP features can be accessed through observers or by proactively checking for status of a certain feature.

Observing RASP Detections

When a RASP event occurs (when the debugger is trying to connect to the app for example), the observer is notified (when configured in such a way). You can set observers for both Android and Apple platforms.

// Android observer
let observer: MalwarelyticsAndroidRASPObserver = {
    debuggerDetected(detected: boolean) { console.log("RASP DEBUGGER DETECTED " + detected); },
    emulatorDetected(emulatorDetection: EmulatorDetection) { console.log("RASP EMULATOR DETECTED " + JSON.stringify(emulatorDetection)); },
    repackagingDetected(repackagingResult: RepackagingResult) {console.log("RASP REPACKAGING DETECTED " + JSON.stringify(repackagingResult)); },
    rootDetected(rootDetection: RootDetection) { console.log("RASP ROOT DETECTED " + JSON.stringify(rootDetection)); },
    screenSharingDetected(screenSharingDetection: ScreenSharingDetection) { console.log("RASP SCREEN SHARING DETECTED " + screenSharingDetected); },
    screenReaderDetected(screenReaderDetection: ScreenReaderDetection) { console.log("RASP SCREEN READER DETECTED " + JSON.stringify(screenReaderDetection)); }
    screenshotDetected(screenshotDetection: ScreenshotDetection) { console.log("RASP SCREENSHOT DETECTED " + JSON.stringify(screenshotDetection)); },
    tapjackingDetected(tapjackingDetection: TapjackingDetection) { console.log("RASP TAPJACKING DETECTED " + JSON.stringify(tapjackingDetection)); },
    httpProxyDetected(httpProxyDetection: HttpProxyDetection) { console.log("HTTP PROXY DETECTED " + JSON.stringify(httpProxyDetection)); },
    vpnDetected(vpnEnabled: boolean) { console.log("RASP VPN DETECTED " + vpnEnabled); },
    adbStatusDetected(adbStatus: boolean) { console.log("ADB STATUS DETECTED " + adbStatus); },
    activeCallDetected(activeCallDetection: ActiveCallDetection) { console.log("RASP ACTIVE CALL DETECTED " + JSON.stringify(activeCallDetection)); }
    appPresenceDetected(appPresenceDetection: AppPresenceDetection) { console.log("RASP APP PRESENCE DETECTED " + JSON.stringify(appPresenceDetection)); }
}

window.plugins.malwarelytics.android.rasp.setObserver(observerAndroid);

// Apple observer
let observerApple: MalwarelyticsAppleRASPObserver = {
    debuggerDetected() { alert("Debugger detected ") },
    jailbreakDetected() { alert("Jailbreak detected") },
    repackageDetected() { alert("Repackaging detected") },
    httpProxyEnabled() { alert("HTTP proxy detected") },
    userScreenshotDetected() { alert("Screenshot detected") },
    screenCapturedChanged(isCaptured: boolean) { alert("Screen capture changed to " + isCaptured) },
    reverseEngineeringToolsDetected() { alert("Reverse Engineering Tools Detedted") },
    systemPasscodeConfigurationChanged(enabled: boolean) { alert("Device Passcode changed to " + enabled) },
    systemBiometryConfigurationChanged(enabled: boolean) { alert("Device Biometry changed to " + enabled) },
    vpnChanged(active: boolean) { alert("VPN changed: " + active) },
    onCallChanged(isOnCall: boolean) { alert("OnCall: " + isOnCall) },
    installedAppsChanged(installedApps: MalwarelyticsAppleDetectableApp[]) { alert("installedAppsChanged") }
}

window.plugins.malwarelytics.apple.rasp.setObserver(observerApple);

Triggering RASP Checks Manually

All the RASP checks can be triggered manually. There are mostly two methods for the checks.

if (device.platform == "Android") {
    const rootDetection = await window.plugins.malwarelytics.android.rasp.getRootDetection();
    const isDeviceRooted = await window.plugins.malwarelytics.android.rasp.isDeviceRooted();
    // etc...
} else if (device.platform == "iOS") {
    const isDebuggerConnexcted = await window.plugins.malwarelytics.apple.rasp.isDebuggerConnected();
    const isJailbroken = await window.plugins.malwarelytics.apple.rasp.isDeviceJailbroken();
    // etc...
}

Read Next