Callback data classes

After App Shielding has performed the relevant security check, the ExtendedObserver.handleCallback() method is called with a callback-specific CallbackData object (see List of callback types: CallbackType enum) which contains the data for that particular security check.

The following data classes with their respective methods are available.

AdbStatusData

This class contains information about the detected Android Developer Bridge (ADB) status. If the boolean isAdbActive() return value is true, the device’s ADB is considered active.

DebuggerData

This class contains information about whether a Java debugger is attached to the host application. If the boolean isRunningUnderDebugger() method returns true, a Java debugger is attached.

If App Shielding is configured to block Java debuggers this callback is never called.
Low-level debuggers, such as gdb are blocked altogether, and no callback will be called if anyone tries to attach such a debugger to the application.

DeveloperOptionsData

This class contains information about the Developer Options status. If the return value of boolean isDeveloperOptionsEnabled() is true, the device’s Developer Options are enabled.

EmulatedInputData

This class contains information about a detected emulated input. If the boolean isInputEmulated() return value is true, an emulated input was detected. The input can be both touch and swipe events.

EmulatorData

This class contains information about whether or not App Shielding detects that the application is executed inside an emulator. If the return value of boolean isRunningOnEmulator() is true, the application is running inside an emulator.

Release versions of App Shielding do not permit executing on emulators, so this callback can only be used when using debug versions of App Shielding on an emulator.

FilesystemScanningData

This class contains information about whether suspicious files have been detected in the file system.

The following are the public methods for this class:

• boolean isSuidOrSgidDetected()
  Indicates if a file with suid or sgid bit is detected.

• boolean isSuDetected()
  Indicates if su executable file is detected.

• boolean isSuspiciousFileDetected()
  Indicates if any suspicious file is detected, either a file with an suid or sgid bit, or a file which is su executable. In other words, isSuspiciousFileDetected() returns true if isSuidOrSgidDetected() or isSuDetected() (or both) return true.

The file system scanning callback is usually invoked 5-10 seconds after application startup because file system scanning takes time.

FilesystemWatchingData

This class contains information about suspicious activity on the file system. This check depends on root detection being enabled. Currently, the following scenarios are considered suspicious activity:

• An Suid or sgid bit is set on an executable in one of the bin paths.

• An su executable is copied into one of the bin paths.

The following public methods are available for this class:

• String getSuspiciousFileName()

  Returns name of the suspicious file.

• boolean isSuidOrSgidDetected()

  Indicates if the suspicious file has suid or sgid bit.

• boolean isSuDetected()

  Indicates if the suspicious file is su executable.

The file system watching callback is only invoked if suspicious activity happens on the file system during application runtime. If suspicious files are already present on the file system before the application starts, their presence will be reported via the file system scanning callback, not via the file system watching callback.

HookingFrameworksData

This class contains information about code hooking frameworks in the process.

The following public methods are available for this class:

• boolean areHookingFrameworksPresent()

  Returns true if code hooking frameworks are present.

• int getLastUsedDetectionMethodCode()

  Returns the last used detection method code. Provide this code to OneSpan if you are trying to diagnose a problem with hooking framework detection.

OneSpan recommends to configure App Shielding to exit the application if code hooking frameworks are detected. This callback should not be used to make security decisions because such frameworks can modify the behavior of the callback.

KeyboardData

This class contains information about whether the active keyboard on the system is trusted.

The following public methods are available for this class:

• boolean isKeyboardUntrusted()

  Returns true if the active keyboard is untrusted.

  App Shielding treats keyboards that are part of the original firmware as trusted. Otherwise, the signer of the keyboard is compared to a list of trusted signers that can be configured in the App Shielding configuration (see addTrustedKeyboardSigner)

• String getKeyboardPackageName()

  Returns the keyboard APK package name.

• String getKeyboardVersionName()
  Returns the keyboard APK package's human-readable version name, which is usually specified in AndroidManifest.xmlby the versionName attribute of the <manifest> tag.

• String getKeyboardAppLabel()
  Returns the keyboard app's human-readable name (i.e., label), which is usually specified in AndroidManifest.xml by the label attribute of the <application> tag.

• String getKeyboardSignerName()

  Returns the Common Name (CN) of the keyboard APK signer’s X.509 certificate subject. If it is impossible to determine the CN field, this method returns an empty string.

• String getKeyboardSignature()
  

  Returns the keyboard’s signature. If it is impossible to determine the signature, this method returns an empty string.

  If the app is running in a Private Space or Work Profile, you shouldexpect KeyboardData callbacks with untrusted keyboards.

NativeCodeHooksData

This class contains information about whether native code hooks are present. If the boolean areNativeCodeHooksPresent() return value is true, native code hooks are present. If false, no native code hooks are detected.

PrivateSpaceData

Contains information about whether App Shielding detects that the application is executed inside aPrivate Space or Work Profile.

If the boolean isRunningInPrivateSpaceOrWorkProfile() method returns true, the application is running inside a Private Space or a Work Profile; the data does not specify which one.

RepackagingData

Provides a boolean that indicates whether the application has been repackaged. If the application is running in a simulator, this method is never called. If the boolean isRepackaged() return value is true, the application has been repackaged.

This callback is only triggered if the exitOnRepackaging option is set to false. exitOnRepackaging cannot be disabled in a release version of App Shielding.

RootingData

This class contains information about whether App Shielding has detected that the device is rooted or not.

The following public methods are available for this class:

• boolean isDeviceCertainlyRooted()
  

  Indicates if the device is rooted or not. Returns true if App Shielding is certain that the device is rooted.

• int getRootingProbability()
  

  Returns a percentage value that indicates the probability that a device is rooted, based on heuristic checks. A value of 0 indicates that the device is most likely not rooted, while a value of 100 indicates that the device is most likely rooted. This value is created independently of the value returned by isDeviceCertainlyRooted(), so they are not connected in any way and might contradict each other in certain cases.

• int getLastUsedDetectionMethodCode()
  

  Returns the last used detection method code. Supply this code to OneSpan if you are trying to diagnose a problem with the rooting detection.

• int getLastUsedHeuristicMethodCode()
  

  Returns the last used heuristic method code. Supply this code to OneSpan if you are trying to diagnose a problem with the rooting detection.

ScreenMirroringData

This class contains information about active screen mirrors. Such screen readers might include the device projecting the screen to a Chrome Cast device, MiraCast, or other type of screen casting device.

The following public methods are available for this class:

• boolean isScreenMirroringDetected()
  

  Returns true if screen mirroring is detected.

• boolean isScreenMirroringBlocked()
  

  Returns true if the screen mirroring is currently being blocked by App Shielding.

ScreenreaderData

This class contains information about whether an untrusted screen reader is active.

The following public methods are available for this class:

• boolean isUntrustedScreenreaderPresent()

  Returns true if at least one untrusted screen reader is active. Trusted screen readers can be configured with the addTrustedScreenreaderSigner option.

• int getUntrustedScreenreaderCount()

  Returns the number of untrusted active screen readers.

• String getUntrustedScreenreaderPackageName(int index)

  Returns the package name of the untrusted screen reader APK with the specified index. The index must be in the range of 0 to getUntrustedScreenreaderCount() - 1. If no screen readers are active or the index is out of bounds, this method returns an empty string.

• String getUntrustedScreenreaderVersionName(int index)

  Returns the human-readable version name with the specified index, which is usually specified in AndroidManifest.xml by the versionName attribute of the manifest tag. The index must be in the range of 0 to getUntrustedScreenreaderCount() - 1. If no screen readers are active or the index is out of bounds, this method returns an empty string.

• String getUntrustedScreenreaderAppLabel(int index)

  Returns the human-readable name (label) of the untrusted screen reader APK with the specified index, which is usually specified in AndroidManifest.xml by the label attribute of the application tag. The index must be in the range of 0 to getUntrustedScreenreaderCount() - 1. If no screen readers are active or the index is out of bounds, this method returns an empty string.

• String getUntrustedScreenreaderSignerName(int index)

  Returns Common Name (CN) of the signer’s X.509 certificate subject for the untrusted screen reader APK with the specified index. The index must be in the range of 0 to getUntrustedScreenreaderCount() - 1. If no screen readers are active or the index is out of bounds, this method returns an empty string.

• String getUntrustedScreenreaderSignature(int index)

  Returns the screen reader signature of the untrusted screen reader APK with the specified index. The index must be in the range of 0 to getUntrustedScreenreaderCount() - 1. If no screen readers are active or the index is out of bounds, this method returns an empty string.

  If the app is running in a Private Space or Work Profile, you should expect ScreenreaderData callbacks with untrusted screen readers.

TapjackingData

Provides details regarding the detection of a tapjacking input.

The following public method is available for this class:

• isObscured()

  Returns true if an obscured input has been detected.

  An input is considered obscured when an overlay is present on the screen at the time the click is performed. The input can be touch events or swipe events.

TaskHijackingData

This class contains information about a task that was hijacked by an external application targeting this app through taskAffinity.

The following public methods are available for this class:

• ComponentName getOffendingAppActivity()

  Returns ComponentName (app-packageName + activity class name) of the app/activity that hijacked this app’s task.

• String getOffendingTaskAffinity()

  Returns the taskAffinity set by the offending activity.

• String getIntentData()

  Returns the intent used to start the task.

The task hijacking callback is only called if task hijacking protection is enabled by including the ShieldSDK-activity-guard package in the application.

UntrustedSourceAppData

This class contains information about detected untrusted source or sideloaded application installed on the device. If an untrusted application is installed or uninstalled from the device while the application is running, the observer is notified with updated callback data.

UntrustedSourceAppData returns a list of all untrusted applications installed to the device. If a new untrusted application is installed, the installed application will not necessarily be added as the last item on the untrusted applications list.

The following public methods are available for this class:

• boolean isUntrustedSourceAppPresent()

  Returns true if there are one or more untrusted source applications installed on the device.

  App Shielding trusts all system applications. For any other application, App Shielding compares the signer of the installer package with an allowlist of trusted signers that may be configured in the App Shielding configuration by addTrustedInstallerSigner. In addition to this option, it is possible to allowlist a single application installed via untrusted app store, or sideloaded by addTrustedApplicationSigner.

• int getUntrustedSourceAppCount()

  Returns the number of applications that were sideloaded or installed via untrusted sources.

• String getUntrustedSourceAppPackageName(int index)

  Returns the package name of the untrusted source application at the specified index.

• String getUntrustedSourceAppVersionName(int index)

  Returns the APK package’s human-readable version name of the untrusted source app at the specified index, which is usually specified in AndroidManifest.xml by the versionName attribute of the <manifest> tag .

• String getUntrustedSourceAppLabel(int index)

  Returns the human-readable name (i.e., label) of the untrusted source app at the specified index, which is usually specified in AndroidManifest.xml by the label attribute of the <application> tag.

• String getUntrustedSourceAppSignerName(int index)

  Returns the Common Name (CN) of the APK signer’s X.509 certificate subject for the untrusted source app at the specified index. If it is not possible to determine the CN field, this method returns an empty string.

• String getUntrustedSourceAppSignature(int index)

  Returns the APK signature of the untrusted source app APK at index. If it is not possible to determine the signature, this method returns an empty string.

The following methods return information about the corresponding installer for an untrusted source app:

• String getUntrustedSourceAppInstallerPackageName(int index)

  Returns the package name of the installer of the untrusted source application at the given index.

• String getUntrustedSourceAppInstallerSignerName(int index)

  Returns the Common Name (CN) of the installer APK signer’s X.509 certificate subject for the untrusted source app at the specified index. If it is not possible to determine the CN field, this method returns an empty string.

• String getUntrustedSourceAppInstallerSignature(int index)

  Returns the installer APK signature of the untrusted source app at the provided index. If it is not possible to determine the signature, this method returns an empty string.

  If the installer is removed from the device, the affected apps are still marked as having an "untrusted source", but the getUntrustedSourceAppInstaller* methods will then return empty values for those installers.

VirtualSpaceAppData

This callback contains information about whether the application was launched via a virtual space app.

The following public methods are available for this class:

• boolean isAppInVirtualSpace()

  Returns true if the application is launched via a virtual space app. Returns false if the application is not in a virtual space or is in the virtual space of any application included in the allowlist by addTrustedVirtualSpaceAppSigner.

• String getVirtualSpaceAppPackageName()

  Returns the virtual space app’s APK package name. If the application is launched outside of a virtual space, this method returns an empty string.

• String getVirtualSpaceAppVersionName()

  Returns the virtual space app’s APK package human- readable version name, which is usually specified in AndroidManifest.xml by the versionName attribute of the <manifest> tag. If the application is launched outside of a virtual space, this method returns an empty string.

• String getVirtualSpaceAppAppLabel()

  Returns the virtual space app’s human-readable name (i.e., label), which is usually specified in AndroidManifest.xml by the label attribute of the <application> tag. If the application is launched outside of a virtual space, this method returns an empty string.

• String getVirtualSpaceAppSignerName()

  Returns the Subject’s Common Name (CN) of the APK signer’s X.509 certificate subject of the virtual space app. If the application is launched outside of a virtual space, this method returns an empty string.

• String getVirtualSpaceAppSignature()

  Returns the virtual space app’s signature. If the application is launched outside of a virtual space, this method returns an empty string.

Due to the limitations with some virtual spaces like Samsung Secure Folder and Xiaomi Dual Apps, the get methods return empty values regardless.