Version 5.0.5 (June 2023)

The Android minimum supported version is 4.4 (API level 19).

We have changed the naming schema of the bound package contained within a .zip file. The file name prefix has changed from “wrapped” to “shielded”.

• Old naming schema:

  • wrapped-original package file name.original package file extension

• New naming schema:

  • shielded-original package file name.original package file extension

You can now customize the settings for obfuscation by defining rules in the Rules.cfg file. With this, you determine how App Shielding will modify the Android application, especially in the context of shielding and obfuscation.

This feature is only available if Default Obfuscate is disabled.

For examples and more information, refer to the sections on how to configure rules in the Shielding Tool and app obfuscation in theMobile Application Shielding Integration Guide.

Also, the toggle switch for the Default Obfuscate option in the OneSpan Customer Portal has been moved to the left column of the Settings section next to the Rules.cfg option. This serves to facilitate entering keywords for defining obfuscation rules.

You can now prevent emulated from being injected into the screen.

Non-physical inputs (motion events) are known as emulated input. Emulated input might originate from the Android Debug Bridge (ADB), autoclick applications, screen-mirroring applications, screen reader applications, etc.

When enabled, App Shielding performs a security check to determine if the input is emulated or physical, and blocks input originating from all sources except physical input. The type of input can be touch and/or swipe events.

You can also define an emulated input threshold. App Shielding assigns a score value for each input to determine if the input might be emulated. Input scores above this threshold will be considered as emulated inputs.

When you enable Block emulated input, the portal  displays the Emulated input threshold field where you can enter a number. The recommended value for this threshold is between 25 and 30. By default, this value is set to 30.

The following dependencies must be enabled to use the Block emulated input feature: Check rooting, Check trusted screenreaders, Check adb status.

For more information, refer to the sections with security features on Android on block emulated input and on configuration options for Android in the Mobile Application Shielding Integration Guide.

Description: The Shielding Tool can now load the application signer certificate from the apk if the app is signed with APK Signature Scheme 2 or 3 and no longer has the v1 Scheme Signature. The v1 Scheme Signature is no longer added for a default Android Studio project with minSdkVersion > 24. The APK signature is used in the App Shielding repackaging check when the application is configured with applicationSignerCertificateauto (this is the default) or original.

Example:

---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
  <config>
    <applicationSignerCertificate v="auto" />
    <applicationSignerCertificate v="original" />
    ...
  </config>
</shield>
---

For more information, refer to https://source.android.com/docs/security/features/apksigning.

Description: App Shielding sometimes terminated unexpectedly on Android 4.4 because an internal App Shielding Java class was not available from the first classes.dex file.

Status: This issue has been fixed. This fix is only recommended if your application supports Android 4.4.

Description: Some applications are optimized by R8 in Application.attachBaseContext() which causes a shielded application to terminate unexpectedly upon starting the application. This unexpected termination happens only on Android versions 7 and earlier.

Status: This issue has been fixed. Now the Shielding Tool can handle R8-optimized Application.attachBaseContext() correctly.

The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.