Conceptual Overview
- 20 Feb 2025
- 3 Minutes à lire
- Impression
- SombreLumière
- PDF
Conceptual Overview
- Mis à jour le 20 Feb 2025
- 3 Minutes à lire
- Impression
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
The Insight Client resides in App Shielding and communicates with the Insight Agent over HTTPS via a set of shared keys. The client encrypts all messages and stores undelivered messages in a write-ahead log on the device. If delivery fails, the client retries delivery later.
The Insight Agent is something that you must deploy, but this can be done on almost any server; it is not tied to a specific runtime environment. The executable that starts the agent is available for the following operating systems and CPU architectures:
Available operating systems and architectures | |
Operating System | Architectures |
|---|---|
Darwin (macOS) | arm64, amd64 |
Linux | amd64, arm64, riscv64 |
Windows | arm64, amd64 |
After the agent is deployed, it forwards Insight messages from connected clients to the Insight Cloud. In the Download Portal, these messages are viewable on the Insight page for Admin users. The agent can also be configured to forward the same data to one or more HTTP-based APIs of your own choosing. The following image highlights the overall workflow:
.png?sv=2022-11-02&spr=https&st=2025-02-23T02%3A16%3A31Z&se=2025-02-23T02%3A26%3A31Z&sr=c&sp=r&sig=t8KE82GVNenYOMgAjk9RKLX6DZ9iRtFH%2BgS%2F5au0RsQ%3D)
Because message payloads sent to the Insight Agent are end-to-end encrypted, a web application firewall (WAF) will not be able to read the payload contents. If you have a WAF configured, then you should avoid creating rules related to the message payload. The WAF can still parse headers and messages forwarded to downstream endpoints.
Data
The Insight Client sends messages in batches as encrypted Protocol Buffers. The Insight Agent forwards these messages to downstream endpoints in the same format (the Protocol Buffer) or JSON.
An Insight message (i.e., envelope) has the following nested structure:
Envelope
Sessions
Frames
Events
Evidences
Each level of this data structure contains the following information:
Information in data structure levels | |
Data Level | Description |
|---|---|
Envelope | Top-level information with relevant IDs, timestamps, and optional custom data. |
Sessions | Metadata about the event originator, including details about the hardware and software. |
Frames | Parent grouping for related events and evidences. |
Events | The security check that was flagged (e.g., hooking framework detected). |
Evidences | The features of the environment that support the security check (e.g., a suspicious file or function name). |
See the Insight Data Structure section for a more detailed look at each data level. You can also view the Protocol Buffer specification itself in the form of the libshield.proto file from the Insight Agent download.
Instance ID
OneSpan App Shielding Insight does not use a true device fingerprint. Instead, it generates an instance ID when the app is first loaded on the device. This instance ID is a randomized identifier for the specific app install on the specific device and is persistent through app updates. If the app is uninstalled and reinstalled, or the device is factory reset, then a new instance ID is created.
GDPR Compliance
The data collected by OneSpan App Shielding Insight is carefully selected according to privacy laws such as the GDPR. In regard to Article 35 of the GDPR, OneSpan collects data that is relevant for the following purposes:
Analysis of IT security threats.
Error reporting and performance analytics of Promon SHIELD™.
Aggregated usage statistics (e.g., number of users, frequency of use, etc.).
OneSpan App Shielding Insight does not collect personal or sensitive data, including IP addresses. OneSpan only collects internal data about its own products and makes a best effort to remove any data that could potentially identify a physical person.
However, the instance ID might be considered pseudonymised data in the context of GDPR. Even though the ID itself cannot directly identify a person, it could be linked to other information that might indirectly identify the user or their behavior.
In the Insight Cloud, the instance ID is used for grouping and aggregating statistics. For example, counting the number of IT security checks generated by a particular app instance over time.
Performance
Because the Insight Client is a component of App Shielding and ties into existing App Shielding security checks, it has a negligible impact on the performance of the app.
The Insight Agent, when running on a single thread on a single CPU core, can decrypt and deserialize approximately 3,000 to 4,000 messages per second. Of course, this largely depends on network latency, how much data you are collecting, and the potential bottlenecks of any downstream APIs. Also note that adding more cores/threads does not scale linearly. For example, an agent with 32 AMD cores can open around 24,000 messages per second.
An envelope with one event, encoded using Protocol Buffers, is typically 1-2 KiB in size. However, if you configure significantly large custom data, then this would increase memory usage and might impact overall performance. As such, memory requirements should be carefully considered when dealing with large custom data.
Cet article vous a-t-il été utile ?