- 28 Oct 2024
- 7 Minutes à lire
- SombreLumière
Version 6.0.1 (September 2023)
- Mis à jour le 28 Oct 2024
- 7 Minutes à lire
- SombreLumière
Supported platform versions
App Shielding version 6.0.1 was successfully tested with Android 14 beta 5.
Android 5.0 (API level 21) – Android 14 beta 5 (API level 34).
Shielding Tool:
Windows 10: 64-bit Java 17
Mac OSX (10.9+)
Ubuntu Linux 20.04 LTS or 22.04 LTS
ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Android platform updates
The Android minimum supported version is Lollipop-5.0 (API level 21).
This version of App Shielding supports Android 14 beta 5 (API level 34).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
Support for Amazon App Store publishing
[Introduced in version 5.5.0]
Amazon App Store modifies your application's files. For all applications, Amazon App Store injects some code and files into the application. This modification triggers the default repackaging checks of App Shielding.
Now the Shielding Tool provides a collection of Shielding Tool rules to skip the integrity check of the files that are known to be modified by Amazon App Store. To use these rules, add the following include statement to your Shielding Tool rules:
.my-rules.cfg:
---
include "builtin:amazon-app-store-support.cfg";
---
These rules should only be used if you intend to publish your application through the Amazon App Store.
For more information, refer to the Mobile Application Shielding Integration Guide.
Improved detection of Virtual Space Apps
Virtual app space detection can be enabled with the App Shielding check app in virtual space option.
If that option is enabled, App Shielding detects if the application was launched as a copy inside applications such as Parallel Space, Dual Space, or similar. App Shielding can also detect virtual app spaces and work profiles or managed devices provided by device vendors such as Google Workspace, Samsung Secure Folder, Xiaomi Dual Apps, Microsoft Workspace, etc. By default these are not reported as "virtual app spaces", but you can use the allow work profile and device vendor virtual spaces App Shielding configuration setting to report those as well as "virtual app space".
Option to exclude an activity from screenshot protection
[Introduced in version 5.4.0]
If App Shielding is configured with blockScreenshots to block screenshots from being taken of the app, then the Shielding Tool rule allowScreenshotsForActivity can be used to exclude an activity class from this block. That is, adding the following Shielding Tool rule tells App Shielding to allow screenshots if the specified activity is visible, even if blockScreenshots is enabled.
Improved detection of hooking frameworks, hiders, native code hooks
App Shielding has improved the detection of hooking frameworks, root hider applications, and native code hooks. Thus App Shielding Shield detects most versions of
Frida/Frida stalker
LSPosed
Magisk Delta
Magisk Manager
Improved emulator detection: detect VMOS Emulators
[Introduced in version 5.4.0]
VMOS is an Android application, which can create emulators on an Android device. VMOS provides the possibility to create highly configurable emulator images. Some of these images may be rooted, some may have Xposed installed. VMOS Emulator detection is part of the check Emulator and exit On Emulator App Shielding settings.
Detect new input sources as emulated input
Non-physical inputs (motion/keyboard events) are characterized as an emulated input. The emulated inputs might be originated from ADB, auto-click applications, screen-mirroring applications, screenreader applications, etc. The emulated input detection can be enabled with the check emulated input App Shielding configuration option.
The improved algorithm now detects more emulated input sources, for example, Vysor and Anydesk are now detected.
New configuration options
Allow Work Profile And Device Vendor Virtual Spaces
See Improved detection of Virtual Space Apps.
Check Untrusted Installer Mode
Configures the mode for the untrusted installer check (see the description of checkUntrustedInstaller in the Mobile Application Shielding Integration Guide). The option can be set to one of the following values:
* "all"::
Check all the apps that are installed on the device. This is the default value.* "sideloaded-apps-only"::
Check only the apps that are sideloaded, that is, installed via adb.
Fixes and other changes
Fixed performance regression
Description: A performance regression was fixed where a shielded application unnecessarily spent too much time for some of its security checks.
Deprecated --profile Shielding Tool command line option
Description: The Shielding Tool command line option --profile [release, debug] is deprecated. Now, the Shielding Tool uses release by default. Use --debug instead of --profile debug.
Removed --obfuscate on Shielding Tool command line option
Description: The deprecated Shielding Tool command line option --obfuscate [on, default] has been removed. Instead, use the Shielding Tool rules configurations. The removed option --obfuscate on has the same effect as the following rule in your Shielding Tool rules configuration:
.my-rules.cfg:
---
include "builtin:obfuscate-on.cfg";
---
Only add x86/x86_64 support if explicitly specified
App Shielding supports the four architectures arm64-v8a, armeabi-v7a, x86_64, and x86.
If an application has native libraries, the Shielding Tool will add the App Shielding library for all architectures that are supported by the application.
Previously, Shielding Tool added App Shielding for all four architectures when the application had no native libraries. This has been changed to only add the arm64-v8a and armeabi-v7a architectures. With this, the shielded app will be smaller: the x86_64 and x86 App Shielding libraries add a size of ~5 MB to the application.
SHAND-3502: Fix mapping.txt for Crashlytics
Description: Crashlytics needs a mapping.txt that contains entries for both obfuscated and not obfuscated classes and members. Previously, the Shielding Tool wrote only the classes and members that were obfuscated.
Status: This issue has been fixed. Now, the Shielding Tool also writes the names that are not obfuscated.
SHAND-3509: Fix callback data of UntrustedSourceAppData
Description: The signer name of the installer of the untrusted source application was reported wrong, that is, the string returned by UntrustedSourceAppData.getUntrustedSourceAppInstallerSignerName(index). That return value was the signer name of the untrusted source application itself.
Status: This issue has been fixed.
The other data (signature, package name, etc.) are reported correctly.
SHAND-3514: Improve adb status detection
Description: If App Shielding is configured with <checkAdbStatus v="true" />, previous versions of App Shielding reported adb as inactive, even though adb was still active, if the developer option was disabled with the adb command:
---bash
$ adb shell settings put global development_settings_enabled 0
---
Status: This issue has been fixed.
SHAND-3527: Support the new Android 12 - 14 garbage collector
Description: Android versions 12-14 have a new garbage collector (GC) implementation. This GC caused an ANR with App Shielding 5.6.0 resp. 5.0.5 and earlier.
Status: This issue has been fixed.
SHAND-3528: Fix callback data of VirtualSpaceAppData
Description: The app version and app name (of the virtual space app) were switched.
Status: This issue has been fixed.
SHAND-3532: Improved untrusted keyboard detection
Description: On Android 13 or later it was possible to switch from a trusted to an untrusted keyboard while editing a text in the app without App Shielding noticing the change.
Status: This issue has been fixed. Now App Shielding detects such a change.
SHAND-3576: Fix unexpected termination of application on automated Google Play testing
Description: Automated Google Play testing runs the application with the package ID androidx.test.tools.crawler.stubapp. That caused a shielded app to terminate unexpectedly.
Status: This issue has been fixed.
SHAND-3587: Fix ShieldSDK-secure-app-rom proguard rules
Description: Proguard/R8 started to obfuscate/minimize some members of the ShieldSDK-secure-app-rom classes. That caused applications to terminate unexpectedly that used the ShieldSDK-secure-app-rom.
Status: This issue has been fixed.
SHAND-3626: Fix reporting screen-mirroring blocking in the callbacks
Description: If screen-mirroring is blocked, App Shielding reported in some situations in the callback that screen-mirroring was not blocked, though App Shielding did block it.
Status: This issue has been fixed.
SHAND-3628: Fix reporting data in the KeyboardData callback
Description: If the user switches to an untrusted keyboard while the application is running and the untrusted keyboard declares its service as export="false" (in its AndroidManifest.xml), App Shielding reported the previous keyboard data in the untrusted keyboard callback event. If a keyboard uses export="false", App Shielding cannot query the keyboard data (package name, signer, etc.).
Status: This issue has been fixed. With this fix, App Shielding will report empty names instead of the names of the previous keyboard.
SHAND-3720: Fixed Java class name obfuscation
Description: The Shielding Tool failed to obfuscate all classes if you enabled full Java class name obfuscation by including the following Shielding Tool rules configuration:
.my-rules.cfg:
---
include "builtin:obfuscate-on.cfg";
---
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Java Runtime Environment 17
Some versions of Java Runtime Environment (JRE) 17 cause the following error on shielding an app:
---
Error: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)
---
The error is caused by a problem with Java. A workaround is to pass the command line option
-Djdk.util.zip.disableZip64ExtraFieldValidation=true
to Java on running the Shielding Tool, that is:
---bash
$ java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar Shielder.jar ...
---
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.