Version 7.0.2 (December 2024)

The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.

If you want your protected app to run on Android 15, you must upgrade to App Shielding 6.6.0 or later.

Beginning with Android 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes. For more information, refer to the Android Developer documentation.

To distribute an app in the People's Republic of China, the app must comply with China's Personal Information Protection Law (PIPL). The PIPL has implications for all parties handling personal information of natural persons within the borders of China.

Among a range of consequences, for banks, this means implementing a one-time consent for each customer prior to using their banking app. For App Shielding, this means that some of the security checks must be postponed until after the consent activity has been shown and accepted. OneSpan has created a dedicated PIPL feature in App Shielding to postpone its related method calls used in certain security checks. Some of the checks could be partially postponed, while others must be fully postponed. For both cases, the actual security impact can be neglected as long as the correct precautions are implemented, as described in the Integrate App Shielding for App Distribution in China.

Description: When protecting applications that utilize a significant amount of compiled Kotlin code, the Shielding Tool could encounter memory exhaustion.

Status: This issue has been addressed for several of these scenarios.

Resolved a race condition in the libshield activity lifecycle listener 's that could potentially cause an unexpected termination.

Description: On some Android 5.x devices, App Shielding exited with an invalid option error. This was because App Shielding passed a flag to a libc function that was unknown to the old Linux Kernel of that Android version.

Status: This issue has been fixed.

The ShieldSDK-secure-edit-text API that was removed in the previous version has been added again.

Fixed an issue where App Shielding terminated unexpectedly when being woken spuriously.

Description: Fixed an issue when the Shielding Tool needed to parse a specific byte code instruction that may be in an app that was compiled for an SDK version 26 or later. The Shielding Tool previously exited with an error like the following:

ERROR: Error: java.lang.RuntimeException: Unable to parse line 40 from classes.dex/com.example.Test:

 invoke-custom {p0}, call_site_0("run", ...)@...Ljava/lang/invoke/CallSite;

...

Caused by: java.lang.IllegalArgumentException: Unknown primitive value type ()V

Status: This issue has been fixed.

Description: A NullPointerException related to AccessibilityNodeInfo occurred on some Android versions while App Shielding blocked an untrusted screen reader.

Status: This issue has been fixed.

Description: Some devices are rather slow on enabling accessibility services, for example Talkback. If a trusted screen reader is enabled while a protected application is running and enabling that screen reader takes a long time, App Shielding failed to see the enabled trusted screen reader and thus did not unblock the application for screen reader access.

Status: This issue has been fixed.

Description: Fixed a leaking Intent Receiver. The error may have been observed in an adb log message like:

...  1234  1234 E ActivityThread: Activity com.example.MyActivity has leaked IntentReceiver ab.C@12345678 that was originally registered here. Are you missing a call to unregisterReceiver()?

Status: This issue has been fixed.

Description: On several Huawei devices, an unexpected termination due to stack overflow was observed when executing onTransact while running a shielded application.

Status: This issue has been fixed.

Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:

1. It is not longer protected with App Shielding.

2. It is signed with a different developer certificate.

Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.

OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.