Configuration of App Shielding for iOS apps
  • 18 Oct 2024
  • 8 Minutes à lire
  • Sombre
    Lumière

Configuration of App Shielding for iOS apps

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

OneSpan Customer PortalOneSpan Mobile Portal

OneSpan Customer Portal

To configure App Shielding for your applications, select the options on the Configuration Page of the OneSpan Customer Portal as needed.

Configuration options for iOS

Configuration options for iOS

Option

Description

Settings

Exit on debugger URL

There is no guarantee that this URL is triggered even though a debugger is attached. It is recommended to not use this option.

This option is deprecated and will be removed in the future.

Check developer mode

Checks if Developer Mode is enabled on the device.

Developer Mode was introduced in iOS 16 and enables development capabilities on an iOS device. When enabled, it will reduce the security of the device since it opens up to some attack vectors abusing developer-only functionality.

Exit on developer mode

Determines whether to exit the application when Developer Mode is detected on the device.

Exit on developer mode URL

Check hooking frameworks

Checks if hooking frameworks were detected in the application’s process.

Exit on hooking frameworks

Determines whether to exit the application when hooking frameworks are detected in the application’s process.

Depends on: Check hooking frameworks

Exit on hooking frameworks URL

If Exit on hooking frameworks is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked.

Depends on: Exit on hooking frameworks

Check jailbreak

Checks if the device on which the application runs is jailbroken.

Exit on jailbreak

Determines whether to exit the application if the device is jailbroken.

Depends on: Check jailbreak

Exit on jailbreak URL

If Exit on jailbreak is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked.

Depends on: Exit on jailbreak

User screenshot monitor

Checks if the user takes a screenshot of the application.

Block screenshots

Prevents screenshots of the application window.

Block external screens

Prevents screen recording and mirroring of the application window. Screen mirroring can originate from external screens connected through an adapter or through AirPlay.

Application signer certificate

The certificate used to sign the application.

Check screen recording

Checks if a screen is being recorded.

Prevent runtime library injection

Prevents injection of libraries into the application during runtime.

Check load-time library injection

Check if libraries were injected into the application’s process at load-time.

App Shielding protects against injection of libraries during runtime. However, it cannot protect against injection of libraries during load-time. Because of that, and also as a second layer of protection against injection during load-time, App Shielding can detect when there are libraries inside the process that should not be there, i.e. have been injected.

Exit on load-time library injection

Determines whether to exit the application when libraries were injected into the application’s process at load-time.

OneSpan highly recommends having this setting enabled for release versions, ideally in combination with the browser reporting feature. In case of libraries being injected into the app's process, the application cannot be trusted anymore, meaning that code that reacts to callbacks can easily be patched out.

Also note that code injection is usually happening on jailbroken devices that have the hooking framework MobileSubstrate installed, which injects libraries into all processes. Because of that, users of apps that are protected by App Shielding should be advised to uninstall MobileSubstrate.

Depends on: Check load-time library injection

Exit on load-time library injection URL

If Exit on load-time library injection is used, a browser can be launched with a preconfigured URL which may explain the problem to the user. If no URL is configured, then the browser is not invoked.

Depends on: Exit on load-time library injection

Updatable configuration

Updatable configuration

Specify whether the app will use the Automatic Configuration feature.

Since App Shielding v4.0, it is no longer possible to disable the checkRepackaging and exitOnRepackaging configuration options. If App Shielding detects that the application was repackaged, it will crash and shutdown the application during startup. Ensure that you always specify the correct signer certificate, configured with the applicationSignerCertificate option. For more information, see Application signer certificate.

Also, as of App Shielding version 4.0, anti-debugging has been improved to ensure that the blockDebugger, checkDebugger, and exitOnDebugger options cannot be disabled.

Application signer certificate

Defines the signer certificate(s) that App Shielding trusts when checking for repackaging. That is, App Shielding assumes the app has been repackaged if the certificate used to sign the app does not match any of the given certificates here. The exception is that App Shielding implicitly trusts the certificates that Apple uses to re-sign an app when it is deployed through TestFlight or the App Store. This implicit trust can be disabled using the disableAppStoreTrust and disableTestFlightTrust options.

To configure App Shielding to trust multiple certificates of your own (e.g., development and distribution certificates), add a separate applicationSignerCertificate option for each certificate.

To export the certificate from the keychain

  1. Launch Keychain Access.

  2. Right click on the certificate to use and select Export….

  3. Select the Certificate file format (.cer)

OneSpan Mobile Portal

To configure App Shielding for your applications, open the relevant project and configuration in the OneSpan Mobile Portal and select the options as needed.

Configuration options for iOS

Configuration options for iOS

Option

Description

Debugger

Exit on debugger URL

The URL of the web page with an explanation to launch when the application is shut down because a debugger has been detected.

There is no guarantee that this URL is triggered even though a debugger is attached. It is recommended to not use this option.

For more information, see Exit URL Launching.

This option is deprecated and will be removed in the future.

Developer Mode

Check Developer Mode

Checks if Developer Mode is enabled on the device.

Developer Mode was introduced in iOS 16 and enables development capabilities on an iOS device. When enabled, it will reduce the security of the device since it opens up to some attack vectors abusing developer-only functionality.

Exit on Developer Mode

Determines whether to exit the application when Developer Mode is detected on the device.

Exit on developer mode URL

The URL of the web page with an explanation to launch when the application is shut down because Developer Mode has been enabled on the device.

For more information, see Exit URL Launching.

Hooking Frameworks

Check hooking frameworks

Checks if hooking frameworks were detected in the application’s process.

Exit on hooking frameworks

Determines whether to exit the application when hooking frameworks are detected in the application’s process.

Depends on: Check hooking frameworks

Exit on hooking frameworks URL

The URL of the web page with an explanation to launch when the application is shut down because a hooking framework has been detected.

Depends on: Exit on hooking frameworks

Jailbreak

Check jailbreak

Checks if the device on which the application runs is jailbroken.

Exit on jailbreak

Determines whether to exit the application if the device is jailbroken.

Depends on: Check jailbreak

Exit on jailbreak URL

The URL of the web page with an explanation to launch when the application is shut down if the device is jailbroken.

For more information, see Exit URL Launching.

Depends on: Exit on jailbreak

User Screenshots

User screenshot monitor

Checks if the user takes a screenshot of the application.

Screen Recording

Check Screen recording

Checks if a screen is being recorded.

External Screens

Block external screens

Prevents screen recording and mirroring of the application window. Screen mirroring can originate from external screens connected through an adapter or through AirPlay.

Block screenshots

Prevents screenshots of the application window.

Application signer certificate

The certificate used to sign the application.

For more information, see Application signer certificate.

Library Injection

Check load-time library injection

Checks if libraries were injected into the application’s process during load-time.

App Shielding protects against injection of libraries during runtime. However, it cannot protect against injection of libraries during load-time. Because of that, and also as a second layer of protection against injection during load-time, App Shielding can detect when there are libraries inside the process that should not be there, i.e. have been injected.

Exit on load-time library injection

Determines whether to exit the application when libraries were injected into the application’s process at load-time.

We highly recommend enabling this setting for release versions, ideally in combination with the browser reporting feature. In case of libraries being injected into the app's process, the application cannot be trusted anymore, meaning that code that reacts to callbacks can easily be patched out.

Code injection is usually happening on jailbroken devices that have the hooking framework MobileSubstrate installed, which injects libraries into all processes. Because of that, users of apps that are protected by App Shielding should be advised to uninstall MobileSubstrate.

Depends on: Check load-time library injection

Exit on load-time library injection URL

The URL of the web page with an explanation to launch when the application is shut down because an injected library has been detected.

Depends on: Exit on load-time library injection

Runtime Library Injection

Prevent runtime library injection

Prevents injection of libraries into the application during runtime.

Updatable configuration

Specify whether the app will use the Automatic Configuration feature.

For more information, see App Shielding configuration.

Since App Shielding v4.0, it is no longer possible to disable the checkRepackaging and exitOnRepackaging configuration options. If App Shielding detects that the application was repackaged, it will terminate unexpectedly and shut down the application during startup. Ensure that you always specify the correct signer certificate, configured with the applicationSignerCertificate option. For more information, see Application signer certificate.

Also, as of App Shielding version 4.0, anti-debugging has been improved to ensure that the blockDebugger, checkDebugger, and exitOnDebugger options cannot be disabled.

Application signer certificate

Defines the signer certificate(s) that App Shielding trusts when checking for repackaging. That is, App Shielding assumes the app has been repackaged if the certificate used to sign the app does not match any of the given certificates here. The exception is that App Shielding implicitly trusts the certificates that Apple uses to re-sign an app when it is deployed through TestFlight or the App Store. This implicit trust can be disabled using the disableAppStoreTrust and disableTestFlightTrust options.

To configure App Shielding to trust multiple certificates of your own (e.g., development and distribution certificates), add a separate applicationSignerCertificate option for each certificate.

To export the certificate from the keychain

  1. Launch Keychain Access.

  2. Right click on the certificate to use and select Export….

  3. Select the Certificate file format (.cer)


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle