RASP (runtime application self-protection) features to protect the app against several attack vectors.
Currently, Malwarelytics for Android offers the following RASP features:
- Root Detection
- Emulator Detection
- Debugger Protection
- Repackaging Detection
- Screen Sharing Detection
- Tapjacking Protection
- Changing of App’s Process Name
- HTTP Proxy Detection
- VPN Detection
- Detection of ADB Status
- Active Call Detection
- App Presence Detection
- Screenshot Blocking
- Screen Reader Blocking
- Detection of Screen Lock Usage
- Detection of Biometry Status
- Detection of Play Protect Status
- Detection of Developer Options Status
More about RASP features available for Android platform can be found in the documentation of the native library.
Currently, Malwarelytics for Apple covers the following RASP problems:
- Jailbreak Detection
- Debugger Detection
- Repackaging Detection
- Reverse Engineering Tools Detection
- HTTP Proxy Detection
- Screen Sharing Detection
- Screenshot Detection
- System Passcode Status Change
- System Biometry Status Change
- VPN Detection
- Active Call Detection
- App Presence Detection
More about RASP features available for Apple platform can be found in the documentation of the native library.
To configure RASP detections, use the androidConfig.rasp
and appleConfig.rasp
properties during the initialization of the SDK:
// Note that all the folowing configurations are optional, you can pass empty object {} and it will work.
// It is recommended to set your client id though to identify the user.
await window.plugins.malwarelytics.initialize({
// Configuration for the Android platform
androidConfig: {
raspConfig: { // configiration of the Runtime Application Self Protection
// when the device is an emulator, exit and show url
emulator: { action: "EXIT", exitUrl: "https://wultra.com?exit=emulator" },
// when the device is rooted, exit and show url
root: { action: "EXIT", exitUrl: "https://wultra.com?exit=root", exitOnRootMinConfidence: 1 },
// when a debugger is attached, exit and show url
debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
// when the app is repackaged, exit and show url
repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackage", signatureHash: ["..."] },
// when screen is shared, notify via the observer
screenSharing: { action: "NOTIFY" },
// block screenshots
screenshot: { blockAction: "BLOCK", detectionAction: "NOTIFY" },
// block screenreaders, use the built-in list of allowed screenreaders (legitimate accessibility apps)
screenReader: { action: "BLOCK" },
// change process name to a stealthy name
processName: { action: "USE_STEALTHY" },
// block tapjacking apps which are HIGHLY_DANGEROUS or MALWARE, don't ignore system apps, don't allow any app exceptions
tapjacking: { action: "BLOCK", blockTapjackingSensitivity: "HIGHLY_DANGEROUS", ignoreTapjackingSystemApps: false, allowedTapjackingApps: [] },
// when HTTP proxy changes, notify via the observer
httpProxy: { action: "NOTIFY" },
// when VPN changes, notify via the observer
vpn: { action: "NOTIFY" },
// when ADB is on, notify via the observer
adb: { action: "NOTIFY" },
// when active call is started or ended, notify via the observer
activeCall: { action: "NOTIFY" },
// when there's an app present, notify via the observer
appPresence: { action: "NOTIFY", remoteDesktopApps: [
{ displayName: "AnyDesk", packageName: "com.anydesk.anydeskandroid"}
] },
// whether to send outputs of RASP info methods to the remote server
sendInfoOutputs: true
}
},
// Configuration for the Apple platform
appleConfig: {
raspConfig: { // configiration of the Runtime Application Self Protection
// when the device is jalibreaked, exit and show url
jailbreak: { action: "EXIT", exitUrl: "https://wultra.com?exit=jalibreak" },
// when debugger is connected, exit and show url
debugger: { action: "EXIT", exitUrl: "https://wultra.com?exit=debugger" },
// when reverse engineering tools are present, notify via the observer
reverseEngineeringTools: { action: "NOTIFY" },
// when HTTP proxy is on, notify via the observer
httpProxy: { action: "NOTIFY" },
// when the app is repackaged, exit and show url
repackage: { action: "EXIT", exitUrl: "https://wultra.com?exit=repackaged", base64EncodedTrustedCertificates: ["BASE64encodedcert"]},
// when screen is being captured, notify via the observer
screenCapture: { action: "NOTIFY" },
// when VPN is on, notify via the observer
vpnChanged: { action: "NOTIFY" },
// when there's an ongoing call, notify via the observer
callDetection: { action: "NOTIFY" },
// when there's an app present, notify via the observer
appPresence: { action: "NOTIFY", apps: knownApps }
}
}
});
When Malwarelytics initialized with certain configurations, the RASP features can be accessed through observers or by proactively checking for status of a certain feature.
When a RASP event occurs (when the debugger is trying to connect to the app for example), the observer is notified (when configured in such a way). You can set observers for both Android and Apple platforms.
// Android observer
let observer: MalwarelyticsAndroidRASPObserver = {
debuggerDetected(detected: boolean) { console.log("RASP DEBUGGER DETECTED " + detected); },
emulatorDetected(emulatorDetection: EmulatorDetection) { console.log("RASP EMULATOR DETECTED " + JSON.stringify(emulatorDetection)); },
repackagingDetected(repackagingResult: RepackagingResult) {console.log("RASP REPACKAGING DETECTED " + JSON.stringify(repackagingResult)); },
rootDetected(rootDetection: RootDetection) { console.log("RASP ROOT DETECTED " + JSON.stringify(rootDetection)); },
screenSharingDetected(screenSharingDetection: ScreenSharingDetection) { console.log("RASP SCREEN SHARING DETECTED " + screenSharingDetected); },
screenReaderDetected(screenReaderDetection: ScreenReaderDetection) { console.log("RASP SCREEN READER DETECTED " + JSON.stringify(screenReaderDetection)); }
screenshotDetected(screenshotDetection: ScreenshotDetection) { console.log("RASP SCREENSHOT DETECTED " + JSON.stringify(screenshotDetection)); },
tapjackingDetected(tapjackingDetection: TapjackingDetection) { console.log("RASP TAPJACKING DETECTED " + JSON.stringify(tapjackingDetection)); },
httpProxyDetected(httpProxyDetection: HttpProxyDetection) { console.log("HTTP PROXY DETECTED " + JSON.stringify(httpProxyDetection)); },
vpnDetected(vpnEnabled: boolean) { console.log("RASP VPN DETECTED " + vpnEnabled); },
adbStatusDetected(adbStatus: boolean) { console.log("ADB STATUS DETECTED " + adbStatus); },
activeCallDetected(activeCallDetection: ActiveCallDetection) { console.log("RASP ACTIVE CALL DETECTED " + JSON.stringify(activeCallDetection)); }
appPresenceDetected(appPresenceDetection: AppPresenceDetection) { console.log("RASP APP PRESENCE DETECTED " + JSON.stringify(appPresenceDetection)); }
}
window.plugins.malwarelytics.android.rasp.setObserver(observerAndroid);
// Apple observer
let observerApple: MalwarelyticsAppleRASPObserver = {
debuggerDetected() { alert("Debugger detected ") },
jailbreakDetected() { alert("Jailbreak detected") },
repackageDetected() { alert("Repackaging detected") },
httpProxyEnabled() { alert("HTTP proxy detected") },
userScreenshotDetected() { alert("Screenshot detected") },
screenCapturedChanged(isCaptured: boolean) { alert("Screen capture changed to " + isCaptured) },
reverseEngineeringToolsDetected() { alert("Reverse Engineering Tools Detedted") },
systemPasscodeConfigurationChanged(enabled: boolean) { alert("Device Passcode changed to " + enabled) },
systemBiometryConfigurationChanged(enabled: boolean) { alert("Device Biometry changed to " + enabled) },
vpnChanged(active: boolean) { alert("VPN changed: " + active) },
onCallChanged(isOnCall: boolean) { alert("OnCall: " + isOnCall) },
installedAppsChanged(installedApps: MalwarelyticsAppleDetectableApp[]) { alert("installedAppsChanged") }
}
window.plugins.malwarelytics.apple.rasp.setObserver(observerApple);
All the RASP checks can be triggered manually. There are mostly two methods for the checks.
if (device.platform == "Android") {
const rootDetection = await window.plugins.malwarelytics.android.rasp.getRootDetection();
const isDeviceRooted = await window.plugins.malwarelytics.android.rasp.isDeviceRooted();
// etc...
} else if (device.platform == "iOS") {
const isDebuggerConnexcted = await window.plugins.malwarelytics.apple.rasp.isDebuggerConnected();
const isJailbroken = await window.plugins.malwarelytics.apple.rasp.isDeviceJailbroken();
// etc...
}