Insight Data Structure
- 20 Feb 2025
- 3 Minutes à lire
- Impression
- SombreLumière
- PDF
Insight Data Structure
- Mis à jour le 20 Feb 2025
- 3 Minutes à lire
- Impression
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
The Insight Agent receives messages in the form of a Protocol Buffer and forwards them to downstream endpoints in the same format or in JSON. An Insight envelope (i.e., message) has the following structure, if viewed as JSON:
{
"sessions": [
{
"frames": [
{
"events": [ ],
"evidences": [ ]
}
]
}
]
}Each data structure level contains several data points, including various IDs and timestamps. For a complete view of all available data points, refer to the libshield.proto specification file. The following sections summarize the data points relevant to understanding a security check:
Sessions
In its simplest form, a session has the following JSON structure:
"sessions": [
{
"header": {
"hardware": { },
"software": { },
"environment": { }
},
"frames": [ ]
}
]Hardware
The hardware dataset includes the following properties:
Hardware dataset properties | |
Property | Description |
|---|---|
vendor | The device vendor (e.g., Google). |
model | The model of the device, as reported by the vendor (e.g., sdk_gphone64_arm64). |
available-processors | The number of processors/cores available on the device. |
total-memory | The total primary memory of the device. |
max-memory | The external memory limit of the process, if such a limit was set. |
Software
The software dataset includes the following properties:
Software dataset properties | |
Property | Description |
|---|---|
os_name | The operating system as reported by the vendor. Note that for Android vendors, this will not always come through as "Android". |
os_version | The operating system version. |
os_arch | The OS architecture (e.g., amd64). |
process_arch | The process architecture, which could be different from the operating system architecture (e.g., a 64-bit operating system running a 32-bit process). |
app_name | The app bundle identifier (e.g., com.example.myapp). |
app_version | The app version. |
libshield_version | The version of App Shielding that is used in the app. |
libshield_os | The operating system for which this version of App Shielding was designed. |
libshield_variant | Whether App Shielding is a release version (0) or debug version. |
libshield_is_time_bomb | Whether App Shielding is a limited demo version. |
Environment
The environment dataset includes the following properties:
Environment dataset properties | |
Property | Description |
|---|---|
language | The language code as reported by the device. |
country | The country code as reported by the device. |
timezone | The timezone as reported by the device. |
Frames
A frame groups related events and evidences together. Frames also contain a duplicate_count property. If there are several instances with essentially the same information, then only the first one is reported in full. Any additional/duplicate instances simply increment the value of duplicate_count. Thus, a duplicate_count of 4 means there were five instances with the same data (i.e., the original and four duplicates).
Events
In its simplest form, an event has the following JSON structure:
"events": [
{
"probe": {
"e": {
"result": 2
}
}
}
]In the above example, e represents the shorthand code for an emulator probe. A result of 2 means the probe returned true (i.e., an emulator was detected).
Security Probes
The following security probes are possible:
Security probes | |
Probe Event | Short Code |
|---|---|
Rooted or jailbroken | jb |
Repackaging | r |
Debugger | d |
Untrusted keyboard | uk |
Screenshot captured | sc |
Screen recording | srec |
Screen reader | sr |
Runtime integrity | ri |
Network security | ns |
Event hooking | eh |
Background mode | bm |
Mirroring | m |
Installed packages | ip |
Emulator | e |
Hooking framework | hf |
Task hijack | th |
Untrusted library | ul |
Library loading blocked | llb |
Virtual space | vs |
Untrusted source | us |
ADB status | as |
Developer options | do |
Emulated input | ei |
File system scan | fs |
File system watch | fw |
Native code hook | nc |
Result Codes
Each probe event returns a result code, where the code can be one of the following values:
Result Codes | |
Probe Result Code | Description |
|---|---|
0 | Unspecified |
1 | False |
2 | True |
3 | Likely |
4 | Unlikely |
5 | Highly likely |
6 | Probe failed |
7 | Probe succeeded |
8 | Probe was not completed |
9 | Probe was not executed |
Evidences
Not every security probe returns corresponding evidences, whether it is because the Insight Client does not yet collect those evidences or the security probe simply does not require further details. When evidences do exist, they appear as one of the following types:
Evidence types | |
Evidence Type | Supporting Data |
|---|---|
file | The path, hash algorithm, hash content, and permissions of an offending file on the device. |
function | The name of an offending function. |
process | The name and PID of an offending process. |
package | The bundle ID, version, related installer, and permission flags of an offending package. |
app_signature | The hash of the public key and the hashing algorithm used to create an offending app signature. |
cert_chain | The chain of bytes that make up an offending app certificate (relevant for iOS repackaging detection). |
Cet article vous a-t-il été utile ?