- 28 Oct 2024
- 5 Minutes à lire
- SombreLumière
Version 6.0.2-PATCH (December 2023)
- Mis à jour le 28 Oct 2024
- 5 Minutes à lire
- SombreLumière
Supported platform versions
App Shielding version 6.0.2-PATCH was successfully tested with Android 14.
Android 5.0 (API level 21) – Android 14.
Shielding Tool:
Windows 10: 64-bit Java 17
Mac OSX (10.9+)
Ubuntu Linux 20.04 LTS or 22.04 LTS
ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.
If you want your protected app to run on Android 15, you must upgrade to App Shielding 6.6.0 or later.
Beginning with Android15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes. For more information, refer to the Android Developer documentation.
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
New anti-malware plugin
A new anti-malware plugin has been included in Mobile Application Shielding to target a new Android malware, FjordPhantom. App Shielding now allows effective detection of FjordPhantom.
This anti-malware plugin works independently. If the plugin detects FjordPhantom, it will cause the application to crash and eventually exit. Mobile Application Shielding does not provide an exit code, but causes an obscure crash, indicating an error about library loading. If you have other Exit features in place, the provided exit code will depend on those exit features.
About FjordPhantom
Since September 2023, FjordPhantom is targeting mobile banking applications in Southeast Asia, Singapore, and Malaysia. It operates differently compared to earlier Android malware. While the most prevalent Android malware abuses the Android accessibility feature to conduct overlay attacks and harvest sensitive information, FjordPhantom uses a novel technique based on virtualization. It combines multiple open source tools including an Android virtualization framework and a hooking framework to perform its attacks. Virtualization apps such as Parallel Spaces and DualSpaces allow multiple installs of the same application on a single mobile device, each in its own virtual container.
In case of FjordPhantom, the complete target app's APK is embedded inside the malware. After downloading, installing, and launching the malware, the user will see the same as if they were running the target app itself. The Android OS however will not be aware that the embedded target app is running since only the wrapping malware is running. Through virtualization, the malware has placed itself between the Android OS and the embedded target app, and both are running inside the same process on the Android OS. This effectively removes any protection offered by the strong sandboxing between two apps running on Android.
FjordPhantom malware does not attack other applications that are running on the user's device but only attacks the victim app that has been embedded. This makes the FjordPhantom malware less scalable, but more powerful.
Since the malware, together with its embedded target app, are seen as a new application by the Android OS, installation of the malware will not affect any existing installations of the target app on the device. Nor will the malware be able to access data (such as cryptographic keys or credentials) owned by the existing installation.
The following are the advanced capabilities of FjordPhantom and its variants:
Inject code through code hooking in the embedded target app on non-rooted devices
Benign virtualization apps rely heavily on code hooking to allow their hosted apps to work correctly. This code hooking is extended by FjordPhantom to offer various advanced attack capabilities:
Evade detection: By hooking selected calls to the Android OS that are necessary to obtain information about whether a device is rooted etc. and returning bogus information, the malware evades detection by the embedded app.
Hide information from the user: FjordPhantom also contains code hooks that close dialog boxes with security warnings to the user before the user can see them on the screen.
Full access to all data stored by the embedded target app
The malware has full access to all data stored by the embedded target app because it runs on a virtual file system under full control of the malware.
Evade repacking detection
Traditional malware that uses repackaging decompiles a target app, inserts additional code, and rebuilds the app into a new, malicious version of itself. However, many security-sensitive apps are tailored to detect this type of repackaging. With FjordPhantom, however, the detection fails because the original target app is not modified in any way.
The new App Shielding plugin can be enabled or disabled via the OneSpan Customer Portal at https://cp.onespan.com. By default, it is disabled.
New configuration options
You can configure Mobile Application Shielding to cause the app to shut down when it detects emulated input or the app to have been launched via a virtual space application. The corresponding error codes are:
1d: Application is launched via Virtual space application
1f: Emulated input is detected.
For a list of all error codes, refer to the Mobile Application Shielding Integration Guide for Android, App Shielding Error Reporting - Android.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.