-
Notifications
You must be signed in to change notification settings - Fork 18
Threat detection
FreeRASP performs several security checks to detect potential threats to the application during its runtime. Each covers a particular attack vector, and users can choose how to respond to the incidents on their own. Users can implement an application to kill itself, send a warning, fetch the incident's details, or ignore it entirely.
To help choose an appropriate response, we briefly explain the available checks. Please note that proper response depends heavily on application security requirements and use cases.
Root detection on Android
onRootDetected: () => print('Root detected')iOS jailbreaking detection
onJailbreakDetected: () => print('Jailbreak detected')Rooting/jailbreaking is a technique of acquiring privileged control over the operating system of an Android/iOS device. While most users root their devices to overcome the limitations put on the devices by the manufacturers, it also enables those with malicious intent to abuse privileged access and steal sensitive information. Various OS checks are performed to detect a rooted device.
Recommended action: get a warning about rooted device
Android emulator check
onEmulatorDetected: () => print('Emulator detected')iOS simulator detection
onSimulatorDetected: () => print('Simulator detected')Attackers may be able to extract an application and run it on an emulator to analyze its execution or to hook it. This method checks the running environment to provide real-time detection of emulators and makes tracing program execution much harder.
Recommended action: get info about the device and kill the application
Android hook check
onHookDetected: () => print('Hook detected')iOS hook check
onRuntimeManipulationDetected: () => print('Runtime manipulation detected')Hooking is a collection of techniques aimed at modifying the behavior of applications by intercepting function calls, messages, or system events. While hooking has many valid uses, such as debugging, it is often used to insert malicious code and monitor program behavior. freeRASP looks for the well-known hooking frameworks to prevent any hooking attempts.
Recommended action: get info about the device and kill the application
Android tampering
onTamperDetected: () => print('Tamper detected')iOS tampering
onSignatureDetected: () => print('Signature detected')Applications can be easily extracted, altered, and repackaged. We use different checks, including verifying the signing certificate to prevent attackers from removing licenses or protections and simply resigning it.
Recommended action: kill the application
Android Keystore
onHWBackedKeystoreDetected: () => print('Hw backed keystore'),iOS Secure Enclave
onMissingSecureEnclaveDetected: () => print('Missing secure enclave detected')The Secure Enclave and the Android Keystore system make it very difficult to decrypt sensitive data without physical access to the device. In that order, these keys need to be stored securely. FreeRASP checks if the keys reside inside secure hardware.
Android binding check
onDeviceBinding: () => print('Device binding detected')iOS binding methods
onDeviceChangeDetected: () => print('Device change detected')onDeviceIdDetected: () => print('Device ID detected')Device binding is attaching an application instance to a particular mobile device. It's used for user authentication by confirming that a user owns a trusted device. This method detects a transfer of an application instance to another device.
Recommended action: get info about the device
Android installation check
onUntrustedInstallationDetected: () => print('Untrusted installation detected')iOS installation check
onUnofficialStoreDetected: () => print('Unofficial store')Users can share a copy of the application on unofficial stores or various pirate forums. While some users download these copies to avoid paying for the product, they can include unknown and possibly dangerous modifications. Verifying an official installation consequently protects both the users and the owner.
Recommended action: get info about the device and kill the application
Android lock check
onPasscodeSetDetected: () => print('Passcode set'),iOS lock check
onPasscodeDetected: () => print('Passcode detected')Saving any sensitive data on a device without a lock makes them more prone to theft. With no user authentification device can be accessed and modified with minimal effort. freeRASP checks if the device is secured with any type of lock.
Recommended action: get info about the unsecured device
Android/iOS method
onDebuggerDetected: () => print("Debugger detected")While most developers use debuggers to trace the flow of their program during its execution same tool can be attached to an application in an attempt to reverse engineer, check memory values, and steal confidential information. This method looks for specific flags to determine whether the debugger is active and offers the option to disable it.
Recommended action: get device information and disable the debugger