Use cases and key concepts

The SAROM feature suits a number of use cases for developers and app owners where sensitive data must exist in the published app:

• Certificates

• API keys

• etc.

The data stored with SAROM is stored in the shielded app as an encrypted key-value-store.

The key-value data stored in SAROM is encrypted by the Shielding Tool on shielding the app, and decrypted by App Shielding at runtime. The key uniquely identifies the value. The SAROM API provides an interface to request the decrypted value for a key.

The key-value data which should be encrypted in SAROM should be placed in a special sarom folder of the application before shielding. The key is the file path relative to the special sarom folder. The value is the content of the file. The special sarom folder is platform specific. For more information, see iOS integration and Android integration.

On shielding the application, the Shielding Tool encrypts these resources, places them elsewhere in the final application, and removes the original unencrypted files from the special sarom folder.

Data stored is encrypted using the AES-256 algorithm in GCM mode. The cryptographic methods may be updated over time. Since the encryption is performed during shielding, this will have no impact on historic releases. The release notes of each version of OneSpan App Shielding will provide details on such changes.

The SAROM API can be used before shielding the application with the Shielding Tool. In this case the SAROM API returns the value for a requested key without decrypting the value. This can be used to integrate the SAROM SDK and test it without fully shielding the app.