Login
    Contenu x
    Version 6.5.0 (March 2024)
    • 28 Oct 2024
    • 10 Minutes à lire
    • Sombre
      Lumière
    Contenu

    Version 6.5.0 (March 2024)

    • Mis à jour le 28 Oct 2024
    • 10 Minutes à lire
    • Sombre
      Lumière
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Supported platform versions

    • App Shielding version 6.5.0 was successfully tested with Android 14.

    • Android 5.0 (API level 21) – Android 14 (API level 34).

    • Shielding Tool:

      • Windows 10: 64-bit Java 17

      • Mac OSX (10.9+)

      • Ubuntu Linux 20.04 LTS or 22.04 LTS

    • The App Shielding Gradle plugin version 2.0 and later is supported.

      This plugin supports Android App Bundles and newer Android build versions.

      You can download the plugin and documentation from:

    Android platform updates

    The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 14.

    As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.

    Deprecations

    Platform minimum supported versions

    Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).

    Android Native Development Kit (NDK)

    Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).

    App Shielding switches to NDK r26 after its release as LTS version.

    Deprecated APIs

    The API for the deprecated ForegroundOverrideData feature has been removed and is no longer supported.

    Deprecated methods

    The CallbackManager.setExtendedObserver(observer) and CallbackManager.removeObserver() methods have been deprecated and will be removed in one of the upcoming versions of App Shielding, Instead of these, use

    • CallbackManager.addObserver(observer)

    • CallbackManager.removeObserver(observer)

    New features and other updates

    Automatic detection of FjordPhantom anti-malware

    The Shielding Tool now detects the FjordPhantom malware automatically, the specific plugin has been removed from App Shielding.

    For App Shielding 6.0.2, a dedicated FjordPhantom anti-malware plugin was provided. When shielding the app, a Shielding Tool command-line option was needed to apply this plugin during shielding. No further configuration was necessary.

    As of App Shielding 6.5.0, the dedicated plugin is no longer required as this check is now offered by default as part of the product. FjordPhantom will be detected either by the Hooking Framework detection or the Virtual Space App detection, and App Shielding uses callback and/or exit-on mechanisms that come with these checks. No further FjordPhantom-specific configuration options are needed.

    New configuration options

    Two new configuration options have been added:

    • Trusted Virtual Space App Signatures

      If you enable this option, you can add the signing certificate of a trusted virtual space app to an allowlist. With this, App Shielding accepts all virtual space apps signed with this certificate.

    • Additional Trusted Installer Signatures

      If you enable this option, you can add the signing certificate of a trusted app store on an allowlist when the Check untrusted installer option is enabled.

    For more information, see Configuration of App Shielding for Android apps.

    No longer distrust system keyboards on rooted devices

    App Shielding used to distrust system keyboards on rooted devices. This made it more complicated for applications that did not care about running on rooted devices but did care about keyboards. That is, with an App Shielding configuration that did not exit on detecting a rooted device but exited if an untrusted keyboard was used, you had to add the application signatures for all keyboards that were pre-installed by mobile vendors because App Shielding did not trust them anymore.

    In the past, your App Shielding configuration may have included the following:

    Exit on rooting: OFF

    Exit on untrusted keyboard: ON

    Additional trusted keyboard signatures: signatures added

    However, distrusting system keyboards on rooted devices does not add much extra security. From now, you no longer have to add the signatures of pre-installed keyboards.

    If you want to protect the app against being run on rooted devices you can apply the following configuration settings:

    Exit on rooting: ON

    Exit on utrusted keyboard: ON

    Third-party code: LibreSSL upgraded

    The third-party library LibreSSL has been upgraded to version 3.8.1. For more information, see Open source component licenses for Android.

    Fixes and other updates

    Improved Shielding Tool class name obfuscation

    The class name obfuscation of the Shielding Tool has been improved.

    Fixed App Shielding runtime file descriptor leak

    A leak of the App Shielding runtime file descriptor has been fixed.

    Documentation fixes: details for callback methods missing

    Description: The methods for the VIRTUAL_SPACE_APP and EmulatedInputData callbacks were missing from the list of callback data classes.

    Status: The documentation has been updated. The methods have been added to the Callback data classes table in the Mobile Application Shielding Integration Guide for Android.

    Documentation fixes: incorrect dependencies for configuration options

    Description: The Mobile Application Shielding Integration Guide for Android listed incorrect dependencies for the following configuration options:

    • Exit on untrusted installer

    • Allow work profile and device vendor virtual spaces

    • Exit when developer options enabled URL

    Status: The documentation has been updated. The correct dependencies are now listed in the Configuration options table of the Mobile Application Shielding Integration Guide for Android.

    Documentation fixes: unused error message removed

    Description: Error code 18, Screen Mirroring in Use, had been listed incorrectly in the Mobile Application Shielding Integration Guide for Android.

    Status: The documentation has been updated. The error code has been removed.

    SHAND-3165: Fixed Shielding Tool warnings about configuration options

    Description: The Shielding Tool prints a dependency warning if App Shielding contains a configuration that depends on a second configuration which is disabled. Previously, the Shielding Tool printed such a warning in some cases even if the configuration was not explicitly set in the App Shielding configuration.

    Status: This issue has been fixed. Now the Shielding Tool warnings are reliably correct again.

    SHAND-3426: Improved App Shielding runtime Java debugger detection

    The debugger detection for App Shielding runtime Java has been improved. App Shielding now checks more frequently for an attached Java debugger.

    SHAND-3666: Improved hiding of App Shielding

    Description: Previously, each version of App Shielding had a fixed random native library name (e.g., libneanmmkiaomc.so). Often, this random name allowed easy identification of App Shielding.

    Status: This issue has been fixed. Instead of using such a random name, the Shielding Tool now takes the application's package name and uses that as inspiration for a library name that looks unsuspicious. Thus, the App Shielding library name will now look like it is related to the public, visible package name.

    SHAND-3720: Fixed Java class name obfuscation

    Description: An issue with the Java class name obfuscation was fixed. The Shielding Tool previously failed to obfuscate all classes if you enabled full Java class name obfuscation.

    Status: This issue has been fixed. All Java class namees can now be obfuscated via the following line in a rules.cfg file:

    ~~~
cfg
include "builtin:obfuscate-on.cfg";
 ~~~

    SHAND-3730: Fixed unexpected termination with UnsupportedOperationException

    Description: An unexpected termination with the UnsupportedOperationException was fixed. This occurred when the Shielding Tool tried to detect the set of supported native library architectures for the input application.

    SHAND-3766 and SHAND-3895: App Shielding runtime performance

    Description: The startup performance has been improved. App Shielding moved the execution of slow security checks from the initial startup to a background thread and optimized the remaining code. The protected application will now start a bit faster than with previous versions of App Shielding.

    SHAND-3784: Fixed issue with internal error reporting

    Description: An issue with the internal error reporting caused App Shielding to sometimes report an internal error as a HookingFrameworkException instead of an InternalErrorException.

    Status: This issue has been fixed.

    SHAND-3800: Fixed unexpected termination when starting a shielded app

    Description: When a shielded app was started on a Lenovo TB-X104F device running Android, the app terminated unexpectedly. This occurred when the Advanced debug guard configuration option was enabled. This configuration option increases the security of the shielded app.

    Status: This issue has been fixed.

    SHAND-3824: Fixed the handling of mapping files inside an app bundle

    Description: An issue with handling mapping files inside an app bundle was fixed. The Shielding Tool adds/updates the mapping file inside an app bundle with the Java name obfuscation that was added by the Shielding Tool.

    Improved detection mechanisms

    Description: A number of detection mechanisms has been improved. These improvements are:

    • Improved rooting detection. The detection of devices rooted with rooting toolkits like Magisk manager, Magisk Hide, KernelSU, and Zygisk has been improved.

    • Improved hooking framework detection. The detection of the following hooking frameworks has been improved:

      • LSPosed

      • MultiApp

      • Riru

      • XPosed

    • Improved native code hook detection.

      App Shielding has been improved in detecting hooking frameworks that inject hooks into the application's native libraries. As part of the native code hook detection, App Shielding can be configured to verify the native libraries of your app. For example, your rules.cfg file can use the following line:

      ~~~
cfg
verify "lib/arm64-v8a/libmy-native.so";
~~~

      The App Shielding native library is always verified. Other native libraries of the application need to be added explicitly. In some situations, App Shielding encountered a race condition when the application loaded several native libraries from different threads. This could have caused a false positive. Now, the race condition is properly handled.

    • SHAND-3804 and SHAND-3937: Improved emulator detection. The detection of the mogume cloud emulator and BlueStacks emulator has been improved.

    • SHAND-3973: Improved ADB status detection.App Shielding now detects if Android Developer Bridge (ADB) has been enabled with tools like the WADB - Wireless ADB enabler. This tool can enable ADB without changing the Android system settings. For more information, refer to the Play Store page on WADB.

    SHAND-3865: Fixed parsing applications that used non-ASCII characters

    Description: An issue occurred with parsing applications that used non-ASCII characters in field names. This affected application code that referenced an obfuscated field name in an annotation value, where the field name was obfuscated with non-ASCII characters.

    Status: This issue has been fixed.

    SHAND-3901 and SHAND-3938: Fixed false positive on emulated input detection

    Description: When the Block emulated input option was enabled, App Shielding incorrectly blocked input that was actually not emulated.

    Status: This issue has been fixed.

    Improved navigation obfuscation

    Several navigation obfuscation mechanisms have been improved:

    • Obfuscation of navigation actions: If a navigation component uses an action element with an app:argType, and the class name of that app:argType is obfuscated, the Shielding Tool now correctly updates the resource file with the obfuscated class names. Without this fix, the application would crash when trying to use the action.

      ~~~
xml
<navigation ...>
  <fragment ....>
    <action
      android:name="exampleData"
      app:argType="com.example.DataType" />
  </fragment>
</navigation>
~~~

      For more information, refer to Use Navigation actions and Fragments in the Android Developer documentation.

    • SHAND-3899: Obfuscation of navigation dialogs: If a navigation component uses a dialog element and the class name of that dialog is obfuscated, the Shielding Tool now correctly updates the resource file with the obfuscated class names. Without this fix, the application would crash when trying to load the dialog.

      ~~~
xml
<navigation ...>
  ...  
  <dialog....>
    android:id="@+id/myDialog"
    android:name="com.example.MyDialog"
    android:label="MyDialog" />
</navigation>
~~~

      For more information, refer to Dialog destinations in the Android Developer documentation.

    SHAND-3922: Support Shielding Tool rules with volatile and transient flags

    Shielding Tool rules can now use the flags volatile and transient when selecting methods.

    To obfuscate all volatile methods, your rules.cfg file can use the following:

    ~~~
cfg
match class * { obfuscate volatile *; }
~~~

    SHAND-3923: Fixed race condition on excluding activities from screenshot protection

    Description: App Shielding can be configured to block all screenshots and given rules that allow screenshots on selected activities. You can block screenshots by enabling the Block Screenshots option on the App Shielding Configuration page in the OneSpan Customer Portal.

    In the Shielding Tool rules.cfg file, you can override this setting by allowing screenshots for one or more individual activities.

    ~~~
cfg
allowScreenshotsForActivity com.example.MyScreenShotEnabledActivity;
~~~

    In some cases, when the application switched from an activity for which screenshots were blocked to an activity for which screenshots were explicitly allowed, App Shielding did not unblock the screenshots due to a race condition.

    Status: This issue has been fixed.

    SHAND-3975 and SHAND-3982: Fixed unexpected terminations of the Shielding Tool

    Description: The Shielding Tool failed to protect some applications due to unexpected Java byte code. Also, the Shielding Tool terminated unexpectedly with ConcurrentModificationException.

    Status: These issues have been fixed.

    SHAND-3985: Fixed Shielding Tool rules that used annotations

    Description: For rules that used annotations the Shielding Tool did not match the annotations correctly.

    Status: This issue has been fixed.

    If you do not want to obfuscate any members that are annotated with the gson @SerializedName annotation, your rules.cfg file can now use the following without any issues:

    ~~~
cfg
match class * {
  preserve @com.google.gson.annotations.SerializedName <members>;
}
~~~

    SHAND-3993: Extended the ShieldSDK callbacks for untrusted installer apps

    Description: App Shielding now reports all found untrusted installer apps in the ShieldSDK callbacks.

    Known limitations

    The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.

    Magisk and root hider tools on new Android

    Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.

    On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.

    New Android version with 16k page size

    Google announced that Android is moving from a 4KB page size to a 16KB page size in Android15. 16KB page hardware will be available in the market in the future, as well. The current version of App Shielding does not yet run on the new Android 15 images with a 16KB page size, but OneSpan is working on updating the App Shielding native libraries to no longer assume that the page size is 4K.

    Android App Bundles

    The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle