Shielding the Application via the OneSpan Customer Portal

This portal is in the process of being decommissioned. For more information, see App Shielding Portal: Important Notice.

When a configuration is created using the OneSpan Customer Portal, it is possible to shield an application. You can bind your application to App Shielding via the OneSpan Customer Portal either manually or automated.

App Shielding writes the shielded application to shielded-app.apk in the same directory as the application itself.

Manual shielding

To manually shield an app

1. In the OneSpan Customer Portal, on the Configuration Page, select the configuration you want to use.

   

   OneSpan Customer Portal – Android configuration page

2. Upload the binary to be shielded.

3. When uploaded, click Start Shielding to start the shielding process.

   The binary to shield (i.e. APK for Android) can be signed or unsigned.

4. When the shielding process is completed, download the shielded binary.

   Shielding modifies the executable of the application, which means that after shielding, the application needs to be re-signed.

   This must be handled with special care so that all required parts of the application are re-signed.

After shielding, application startup performance could be impacted. If this occurs, exclusion options can be defined to reduce the impact of the shielding on the application.

The security provided by App Shielding is reduced when you exclude classes from the shielding process. The number of shieldings must be high enough to ensure security requirements (more than one thousand data shieldings).

To avoid performance issues, the following OneSpan packages can be excluded from shielding:

• untouchable class com.vasco.digipass.sdk.obfuscated.*

• untouchable class com.vasco.digipass.sdk.utils.utilities.obfuscated.*

Automated shielding

REST web services can be used to automate the shielding process. For more information about the REST web services, refer to the API documentation.

To start the shielding process

• Call POST /public_api/v1/rasp/bind_package.

  Input parameters:

  • An API key

  • The binary to be shielded.

  It starts the shielding process on the provided binary, and returns an identifier for that shielding process.

To obtain the shielding status

• Call GET /public_api/v1/rasp/status.

  Input parameter:

  • An API key

  It returns the statuses of all the started and finished processes for the given configuration (i.e. API key) within the last two hours.

To download the shielded binary

• Call GET /public_api/v1/rasp/bound_package/:id.

  Input parameters:

  • An API key

  • A shielding process identifier.

  It returns the shielded binary and the parameters used for the shielding process.

App obfuscation

App Shielding provides app obfuscation mechanisms where the Java bytecode of an application is obfuscated, and e.g. class names, function names, and field names are modified. Parts of an application code are rewritten in a purposefully unintelligible way, while the application functionalities are left unchanged. The purpose of obfuscation is to discourage static analysis attempts.

For more information on this, see Configuration of Shielding Tool rules: Obfuscation.