Configuration of App Shielding for iOS apps
- 18 Oct 2024
- 8 Minutes to read
- DarkLight
Configuration of App Shielding for iOS apps
- Updated on 18 Oct 2024
- 8 Minutes to read
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
OneSpan Customer PortalOneSpan Mobile Portal
OneSpan Customer Portal
To configure App Shielding for your applications, select the options on the Configuration Page of the OneSpan Customer Portal as needed.
Configuration options for iOS
Configuration options for iOS | |
Option | Description |
|---|---|
Settings | |
Exit on debugger URL | There is no guarantee that this URL is triggered even though a debugger is attached. It is recommended to not use this option. This option is deprecated and will be removed in the future. |
Check developer mode | Checks if Developer Mode is enabled on the device. Developer Mode was introduced in iOS 16 and enables development capabilities on an iOS device. When enabled, it will reduce the security of the device since it opens up to some attack vectors abusing developer-only functionality. |
Exit on developer mode | Determines whether to exit the application when Developer Mode is detected on the device. |
Exit on developer mode URL | |
Check hooking frameworks | Checks if hooking frameworks were detected in the application’s process. |
Exit on hooking frameworks | Determines whether to exit the application when hooking frameworks are detected in the application’s process. Depends on: Check hooking frameworks |
Exit on hooking frameworks URL | If Exit on hooking frameworks is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked. Depends on: Exit on hooking frameworks |
Check jailbreak | Checks if the device on which the application runs is jailbroken. |
Exit on jailbreak | Determines whether to exit the application if the device is jailbroken. Depends on: Check jailbreak |
Exit on jailbreak URL | If Exit on jailbreak is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked. Depends on: Exit on jailbreak |
User screenshot monitor | Checks if the user takes a screenshot of the application. |
Block screenshots | Prevents screenshots of the application window. |
Block external screens | Prevents screen recording and mirroring of the application window. Screen mirroring can originate from external screens connected through an adapter or through AirPlay. |
Application signer certificate | The certificate used to sign the application. |
Check screen recording | Checks if a screen is being recorded. |
Prevent runtime library injection | Prevents injection of libraries into the application during runtime. |
Check load-time library injection | Check if libraries were injected into the application’s process at load-time. App Shielding protects against injection of libraries during runtime. However, it cannot protect against injection of libraries during load-time. Because of that, and also as a second layer of protection against injection during load-time, App Shielding can detect when there are libraries inside the process that should not be there, i.e. have been injected. |
Exit on load-time library injection | Determines whether to exit the application when libraries were injected into the application’s process at load-time. OneSpan highly recommends having this setting enabled for release versions, ideally in combination with the browser reporting feature. In case of libraries being injected into the app's process, the application cannot be trusted anymore, meaning that code that reacts to callbacks can easily be patched out. Also note that code injection is usually happening on jailbroken devices that have the hooking framework MobileSubstrate installed, which injects libraries into all processes. Because of that, users of apps that are protected by App Shielding should be advised to uninstall MobileSubstrate. Depends on: Check load-time library injection |
Exit on load-time library injection URL | If Exit on load-time library injection is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked. Depends on: Exit on load-time library injection |
Updatable configuration | |
Updatable configuration | Specify whether the app will use the Automatic Configuration feature. |
Since App Shielding v4.0, it is no longer possible to disable the checkRepackaging and exitOnRepackaging configuration options. If App Shielding detects that the application was repackaged, it will crash and shutdown the application during startup. Ensure that you always specify the correct signer certificate, configured with the applicationSignerCertificate option. For more information, see Application signer certificate.
Also, as of App Shielding version 4.0, anti-debugging has been improved to ensure that the blockDebugger, checkDebugger, and exitOnDebugger options cannot be disabled.
Application signer certificate
Defines the signer certificate(s) that App Shielding trusts when checking for repackaging. That is, App Shielding assumes the app has been repackaged if the certificate used to sign the app does not match any of the given certificates here. The exception is that App Shielding implicitly trusts the certificates that Apple uses to re-sign an app when it is deployed through TestFlight or the App Store. This implicit trust can be disabled using the disableAppStoreTrust and disableTestFlightTrust options.
To configure App Shielding to trust multiple certificates of your own (e.g., development and distribution certificates), add a separate applicationSignerCertificate option for each certificate.
To export the certificate from the keychain
Launch Keychain Access.
Right click on the certificate to use and select Export….
Select the Certificate file format (.cer)
OneSpan Mobile Portal
To configure App Shielding for your applications, open the relevant project and configuration in the OneSpan Mobile Portal and select the options as needed.
Configuration options for iOS
Configuration options for iOS | |
Option | Description |
|---|---|
Debugger | |
Exit on debugger URL | The URL of the web page with an explanation to launch when the application is shut down because a debugger has been detected. There is no guarantee that this URL is triggered even though a debugger is attached. It is recommended to not use this option. For more information, see Exit URL Launching. This option is deprecated and will be removed in the future. |
Developer Mode | |
Check Developer Mode | Checks if Developer Mode is enabled on the device. Developer Mode was introduced in iOS 16 and enables development capabilities on an iOS device. When enabled, it will reduce the security of the device since it opens up to some attack vectors abusing developer-only functionality. |
Exit on Developer Mode | Determines whether to exit the application when Developer Mode is detected on the device. |
Exit on developer mode URL | The URL of the web page with an explanation to launch when the application is shut down because Developer Mode has been enabled on the device. For more information, see Exit URL Launching. |
Hooking Frameworks | |
Check hooking frameworks | Checks if hooking frameworks were detected in the application’s process. |
Exit on hooking frameworks | Determines whether to exit the application when hooking frameworks are detected in the application’s process. Depends on: Check hooking frameworks |
Exit on hooking frameworks URL | The URL of the web page with an explanation to launch when the application is shut down because a hooking framework has been detected. Depends on: Exit on hooking frameworks |
Jailbreak | |
Check jailbreak | Checks if the device on which the application runs is jailbroken. |
Exit on jailbreak | Determines whether to exit the application if the device is jailbroken. Depends on: Check jailbreak |
Exit on jailbreak URL | The URL of the web page with an explanation to launch when the application is shut down if the device is jailbroken. For more information, see Exit URL Launching. Depends on: Exit on jailbreak |
User Screenshots | |
User screenshot monitor | Checks if the user takes a screenshot of the application. |
Screen Recording | |
Check Screen recording | Checks if a screen is being recorded. |
External Screens | |
Block external screens | Prevents screen recording and mirroring of the application window. Screen mirroring can originate from external screens connected through an adapter or through AirPlay. |
Block screenshots | Prevents screenshots of the application window. |
Application signer certificate | The certificate used to sign the application. For more information, see Application signer certificate. |
Library Injection | |
Check load-time library injection | Checks if libraries were injected into the application’s process during load-time. App Shielding protects against injection of libraries during runtime. However, it cannot protect against injection of libraries during load-time. Because of that, and also as a second layer of protection against injection during load-time, App Shielding can detect when there are libraries inside the process that should not be there, i.e. have been injected. |
Exit on load-time library injection | Determines whether to exit the application when libraries were injected into the application’s process at load-time. We highly recommend enabling this setting for release versions, ideally in combination with the browser reporting feature. In case of libraries being injected into the app's process, the application cannot be trusted anymore, meaning that code that reacts to callbacks can easily be patched out. Code injection is usually happening on jailbroken devices that have the hooking framework MobileSubstrate installed, which injects libraries into all processes. Because of that, users of apps that are protected by App Shielding should be advised to uninstall MobileSubstrate. Depends on: Check load-time library injection |
Exit on load-time library injection URL | The URL of the web page with an explanation to launch when the application is shut down because an injected library has been detected. Depends on: Exit on load-time library injection |
Runtime Library Injection | |
Prevent runtime library injection | Prevents injection of libraries into the application during runtime. |
Updatable configuration | Specify whether the app will use the Automatic Configuration feature. For more information, see App Shielding configuration. |
Since App Shielding v4.0, it is no longer possible to disable the checkRepackaging and exitOnRepackaging configuration options. If App Shielding detects that the application was repackaged, it will terminate unexpectedly and shut down the application during startup. Ensure that you always specify the correct signer certificate, configured with the applicationSignerCertificate option. For more information, see Application signer certificate.
Also, as of App Shielding version 4.0, anti-debugging has been improved to ensure that the blockDebugger, checkDebugger, and exitOnDebugger options cannot be disabled.
Application signer certificate
Defines the signer certificate(s) that App Shielding trusts when checking for repackaging. That is, App Shielding assumes the app has been repackaged if the certificate used to sign the app does not match any of the given certificates here. The exception is that App Shielding implicitly trusts the certificates that Apple uses to re-sign an app when it is deployed through TestFlight or the App Store. This implicit trust can be disabled using the disableAppStoreTrust and disableTestFlightTrust options.
To configure App Shielding to trust multiple certificates of your own (e.g., development and distribution certificates), add a separate applicationSignerCertificate option for each certificate.
To export the certificate from the keychain
Launch Keychain Access.
Right click on the certificate to use and select Export….
Select the Certificate file format (.cer)
Was this article helpful?