Login
    Contents x
    Integrate App Shielding for App Distribution in China
    • 29 Nov 2024
    • 3 Minutes to read
    • Dark
      Light
    • PDF
    Contents

    Integrate App Shielding for App Distribution in China

    • Updated on 29 Nov 2024
    • 3 Minutes to read
    • Dark
      Light
    • PDF
    Article summary

    To distribute an app in China, compliance with the Personal Information Protection Law is required. The law, effective from November 1, 2021, impacts handling personal data within China. Banks need one-time consent from customers before using banking apps. App Shielding must postpone certain security checks until after consent is given. Partially postponed checks like rooting and hooking frameworks have minimal security impact. Fully postponed checks include untrusted keyboard, screen mirroring, and more. An activity for user consent is necessary for security checks. Integration for PIPL compliance involves adding specific dependencies and annotations. It is crucial to inform users about restricted Android APIs.

    To distribute an app in the People's Republic of China, the app must comply with China's Personal Information Protection Law (PIPL).

    Context

    On November 1st, 2021, the Chinese PIPL regulations law took effect, which had implications for all parties handling personal information of natural persons within the borders of China.

    Among a range of consequences, for banks, this means implementing a one-time consent for each customer prior to using their banking app. For App Shielding, this means that some of the security checks must be postponed until after the consent activity has been shown and accepted.

    Because of this, OneSpan has created a dedicated PIPL feature in App Shielding to postpone its related method calls used in some security checks. Some of the checks could be partially postponed, while others must be fully postponed. For both cases, the actual security impact can be neglected as long as the correct precautions are implemented, as described below.

    Partially postponed checks

    Rooting

    Certain rooting checks contain the querying of the applications on the device. This part of the rooting check is a very small part of the entire rooting check and is considered of less importance. Consequently, the security effect of this delayed check is minimal.

    Hooking Frameworks

    Hooking framework checks in App Shielding also contain the querying of the applications on the device. This part of checking for hooking frameworks is also a very small part of the entire hooking framework checking and is considered to have little impact. Because of that, the security effect of this check is not crucial.

    For the partially postponed security checks, the postponed sections are quite small, and there is no security risk. However, it is strongly recommended not to launch any important classes during this Consent Activity phase containing any sensitive information.

    Fully postponed checks

    Untrusted Keyboard, Screen mirroring, Untrusted Screen reader, ADB Status, Developer Options

    These checks are fully postponed as App Shielding requires the device settings information regarding default input method, accessibility services, screen mirroring, ADB and developer options. It appears from the report that PIPL regulations block the methods regarding ‘Settings’.

    It is highly recommended to refrain from having any application information or user input in the Consent Activity because the checks are not performed in this phase. Untrusted Keyboards, Screen readers (Accessibility Services), Screen mirroring, and ADB will not be detected or blocked when the user is on the Consent Activity Screen. An attacker can possibly run any attack vector from the listed security checks, such as a screen reader, and possibly read the data or user input. This means there is no security risk if no sensitive information is shown or obtained during this first activity.

    Untrusted Installer, Virtual space app

    These checks are fully postponed as App Shielding requires the settings information for the installed applications as the main part of these checks. These checks will not be performed completely during the Consent Activity. These checks do not directly introduce direct security risk.

    Add compatibility for App  Shielding

    For the regulations, an activity is needed where the user consents to calls made in your app for security purposes. Therefore, an activity where these mentioned security checks do not run must be added. After the user consents to these calls, you do not have to ask for consent for the second launch. From that activity, you can launch the regular launcher activity, and App Shielding will perform the remaining security checks for which the user has given their consent.

    To integrate PIPL compliance

    1. For the client SDK setup, add the following to the dependencies section:

      //build.gradle
dependencies {
  …
  implementation files("shield_pipl_android.aar")
}      

    2. For the integration of the client SDK, add the annotation @ConstentActivity to the activity to automatically register to comply with PIPL requirements.

      The Consent activity should come before the main activity.

      //ConsentActivity.java
@no.promon.shield.pipl.ConsentActivity
public class ConsentActivity extends
AppCompatActivity {

  @Override
  protected void onCreate(Bundle
savedInstanceState) {
    super.onCreate(savedInstanceState);
    EdgeToEdge.enable(this);
setContentView(R.layout.activity_consent);  

      You need to inform the user in that activity that the application uses Android APIs that are restricted by the PIPL.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant