Login
    Contents x
    Version 5.7.0 (July 2023)
    • 28 Oct 2024
    • 6 Minutes to read
    • Dark
      Light
    Contents

    Version 5.7.0 (July 2023)

    • Updated on 28 Oct 2024
    • 6 Minutes to read
    • Dark
      Light
    Article summary

    Supported platform versions

    • App Shielding version 5.7.0 was successfully tested with Android 13.

    • Android 4.4 (API level 19) – Android 13 (API level 33).

    • Shielding Tool:

      • Windows 10: 64-bit Java 11 or 17

      • Mac OSX (10.9+)

      • Ubuntu Linux 20.04 LTS or 22.04 LTS

    • ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.

    Deprecations

    Google has announced that the next Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).

    App Shielding will switch to NDK r26 after its release as LTS version which is expected for Q3 2023.

    Android platform updates

    The Android minimum supported version is 4.4 (API level 19).

    This version of App Shielding supports Android 14 beta 3.

    As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.

    New features and other updates

    Option to check for an untrusted installer

    A new option is available to check for an untrusted installer where you can configure the mode for the untrusted installer check.

    Depends on the setting of Query All Packages Permission and checkUntrustedInstaller!

    Option to exclude an activity from the screenshot block

    An option has been added to exclude an activity from the screenshot block. This can be used for apps that want their users to take a screenshot of a specific activity to verify payments, receipts, etc.

    If App Shielding is configured with blockScreenshots to block screenshots from being taken of the app, that is, in config.xml:

    ---
<?xml version="1.0" encoding="UTF-8"?>
<shield>  
  <config>    
    <blockScreenshots v="true" />
...
  </config>
</shield>
---

    Then the Shielding Tool rule allowScreenshotsForActivity can be used to exclude an activity class from this block. That is, adding this rule in rules.cfg:

    ---
allowScreenshotsForActivity com.example.DontBlockScreenshotsFromMyActivity;
---

    tells App Shielding to allow screenshots if the specified activity is visible, even blockScreenshots is enabled. The argument for allowScreenshotsForActivity is the class name of an activity.

    New rooting check

    The rooting check scans and detects root hider applications and is designed to detect rooting packages which have been hidden by advanced tools such as Magisk Manager. The check is executed as part of the rooting check.

    LSPosed hooking framework detection

    App Shielding now detects if the LSPosed hooking framework is installed on a device and targets a shielded app.

    Detection of VMOS emulators

    VMOS is an Android application, which can create emulators on an Android device. VMOS provides the possibility to create highly configurable emulator images. Some of these images may be rooted, some may have Xposed installed. VMOS Emulator detection is part of the checkEmulator/exitOnEmulator App Shielding configurable (config.xml):

    ---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
  <config>
    <checkEmulator v="true" />
    <exitOnEmulator v="true" />
...
  </config>
</shield>
---

    checkEmulator and exitOnEmulator are enforced for the release profile.

    There may be VMOS images which are not yet detected by libshield as emulators. Rooted VMOS images may be detected as rooted. So it may be useful to enable checkRooting (is enforced for the release profile) and exitOnRooting:

    ---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
  <config>
    <checkEmulator v="true" />
    <exitOnEmulator v="true" />
    <checkRooting v="true" />
    <exitOnRooting v="true" />
...
  </config>
</shield>
---

    Amazon App Store Support

    Amazon App Store modifies your application's files. For all applications, Amazon App Store injects some code and files into the application. This modification triggers the default repackaging checks of App Shielding.

    Now the Shielding Tool provides a collection of Shielding Tool rules to skip the integrity check of the files that are known to be modified by Amazon App Store. To use these rules, add the following include statement to your Shielding Tool rules:

    ------------
include "builtin:amazon-app-store-support.cfg";
------------

    These rules should only be used if you intend to publish your application through the Amazon App Store.

    For more information, refer to the Mobile Application Shielding Integration Guide.

    Fixes and other changes

    SHAND-3351: Support Android 14, beta 1—3

    Description: Previous versions of App Shielding terminated unexpectedly when launching a shielded app on Android 14 beta because App Shielding uses some public APIs that were deprecated in Android 13 and caused an unexpected termination in Android 14. Java class was not available from the first classes.dex file.

    Status: This issue has been fixed.

    SHAND-3502, SHAND-3546: Fix mapping.txt for Crashlytics and writing mapping.txt

    Description: Crashlytics needs a mapping.txt that contains entries for both obfuscated and not obfuscated classes and members. Previously, the Shielding Tool wrote only the classes and members that were obfuscated. Now, the Shielding Tool writes the not obfuscated names and members that were obfuscated. An issue introduced with this caused an obfuscated class to appear twice in the generated mapping.txt file: once with the original name mapping to the obfuscated name and another time with the obfuscated name mapping to itself:

    com.exmaple.MyClass -> a.b:
...
a.b -> a.b:
...

    Status: This issue has been fixed.: Only the mapping of the original name to the obfuscated name is written.

    SHAND-3509: Fix the UNTRUSTED_SOURCE_APP callback data type

    Description: If checkUntrustedInstaller is enabled in the App Shielding configuration, <checkUntrustedInstaller v="true" />, and App Shielding detected an app that was installed from an untrusted source, then the ExtendedObserver received a callback of type UntrustedSourceAppData. The signer name of the installer of the untrusted source application was reported wrong, that is, the string returned by UntrustedSourceAppData.getUntrustedSourceAppInstallerSignerName(index). That return value was the signer name of the unstrusted source application itself.

    Status: This issue has been fixed.: The other data (signature, package name, etc.) are reported correctly.

    SHAND-3514: Improve adb status detection

    Description: If App Shielding is configured with <checkAdbStatus v="true" />, then previous versions of App Shielding reported adb as inactive if the developer option were disabled with the following adb command, even though adb was still active.

    ~~~
$ adb shell settings put global development_settings_enabled 0
~~~

    Status: This issue has been fixed.:

    SHAND-3527: Support the new Android 12—14 garbage collector

    Description: Android 14 will be the first version that gets a new garbage collector (GC) implementation. That GC caused an ANR with App Shielding 5.6.0 and older. That GC will be rolled out by Google to Android 13 and Android 12 some time in August.

    Any application that wants to support Android 12 and Android 13 needs to upgrade to this version of App Shielding (5.7.0). Applications that want to support Android 14 (and older) need to upgrade to this version of App Shielding (5.7.0). Otherwise the application will not work after the new GC is enabled.

    Affected devices are those with Linux kernel 5.10 or above. To test the new GC you can use a recent AOSP on a Pixel 6 or later and run the following adb commands:

    ~~~
$ adb shell device_config set_sync_disabled_for_tests persistent
$ adb shell device_config put runtime_native_boot enable_uffd_gc true
$ adb reboot
~~~

    To confirm that you have switched to the new GC or not using following command. There should be some log messages.

    ~~~
$adb logcat | grep "concurrent mark compact"
~~~

    SHC-297: Update org.apache.commons.text to version 1.10.0 in the Shielding Tool

    Description The vulnerability CVE-2022-42889 is contained in org.apache.commons.text in version 1.5 to 1.9.

    The version has now been updated, though the Shielding Tool never used any of the vulnerable code.

    Known limitations

    The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.

    Android App Bundles

    The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.

    Detection of root hiding tool on new Android versions

    Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant