Login
    Contents x
    Mobile Application Shielding for Android Version 7.3.1 (April 2025)
    • 03 Apr 2025
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Mobile Application Shielding for Android Version 7.3.1 (April 2025)

    • Updated on 03 Apr 2025
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Introduction

    Welcome to Mobile Application Shielding for Android 7.3.1!

    The OneSpan Customer Portal only accepts connections via TLS 1.2 or later. Earlier versions are no longer supported because all versions of the TLS protocol prior to 1.2 have been deprecated.

    This is a release of Mobile Application Shielding, which contains enhancements and other product updates. For more information about new features and fixed defects, refer to the respective chapters in this document. For information about configuring and using Mobile Application Shielding, see the Mobile Application Shielding Integration Guide.

    To maintain protection against the latest mobile threats, ensure to update Mobile Application Shielding to the latest version!

    Supported platform versions

    • App Shielding version 7.3.1 was successfully tested with Android 15.

    • Android 5.0 (API level 21) – Android 15 (API level 35).

    • Shielding Tool:

      • Windows 10: 64-bit Java 17

      • Mac OSX (10.9+)

      • Ubuntu Linux 20.04 LTS or 22.04 LTS

    Android platform updates

    The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.

    If you want your protected app to run on Android 15, you must upgrade to App Shielding 6.6.0 or later.

    Beginning with Android 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes. For more information, refer to the Android Developer documentation.

    As of March 1, 2025, App Shielding for Android version 5.7.1.98641 and earlier are no longer supported. For more information, refer to the OneSpan Mobile Portal or the OneSpan Customer Portal.

    Deprecations

    Platform minimum supported versions

    Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).

    Android Native Development Kit (NDK)

    Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).

    App Shielding switches to NDK r26 after its release as LTS version.

    Deprecated API: ShieldSDK-secure-edit-text

    The ShieldSDK-secure-edit-text API has been marked as deprecated. It is no longer maintained and is considered obsolete. It will be removed in an upcoming release.

    New features and other updates

    Performance improvements

    This version of App Shielding improves the startup and runtime performance of a protected application with the following measures:

    • Reduced number of concurrently running threads.

    • Optimized algorithms.

    • Lowered thread priority for background threads on low end devices.

    Consolidate Check rooting deep scan configuration options

    The behavior of the Check rooting deep scan configuration option has now been consolidated. If Check rooting deep scan is enabled in the configuration, App Shielding starts scanning the device file system for suspicious files. A file is suspicious if it has a suid or sgid attribute set or if it looks like an su binary.

    Previously, the scanning for suid or sgid attributes was started even if the check was disabled, and a configured ExtendedObserver might have received a callback about suid or sgid files, but not about su binaries. Now, the scanning is only started if Check rooting deep scan is enabled. For more information, see Rooting.

    Least Recently Used Cache for pull bindings

    To improve runtime performance, App Shielding now provides an optional Least Recently Used (LRU) cache for pull bindings. To enable an LRU pull binding cache with a maximum cache size of 3% of all pull bindings, add the following to your rules.cfg file:

    ~~~
cfg
bindingCache { max-size 3% }
~~~

    For more information, see Least Recently Used Cache.

    Separate overlay blocking and tapjacking protection

    App Shielding version 7.0.0 introduced a new feature, Tapjacking Protection, which can be enabled with the Check tapjacking and Block tapjacking options. Tapjacking protection originally consisted of two distinct types of protection:

    • Block any input to the application when a non-system overlay is detected on the screen (i.e., block tapjacking attempts).

    • Block and remove non-system overlays when the protected application is running (on Android 12 and later).

    Because these are two distinct types of protection, the second type, blocking non-system overlays, has been moved to its own App Shielding configuration option called Block non-system overlays. For more information, see Tapjacking.

    If you were using the Check tapjacking and Block tapjacking configuration options in App Shielding 7.0.x, and you want to keep the same functionality, you must explicitly enable the new Block non-system overlays option.

    Unlocked bootloader detection

    The device's bootloader is responsible for loading the operating system. App Shielding can now detect if this bootloader has been "unlocked", which allows the device to then be flashed and rooted. An unlocked bootloader also suggests that the device might be running a custom and/or malicious OS.

    Even though an unlocked bootloader on its own is not a security threat, it is often a first step to other potential attacks. Unlocked bootloader detection is enabled with the checkBootloaderStatus configuration option. You can also use exitOnBootloaderStatus to exit the app when an unlocked bootloader is detected, and exitOnBootloaderStatusURL to exit the app and open a browser with the configured URL to explain the problem to the user. For more information, see Unlocked bootloader detection and Exit URL Launching on Android.

    This feature also adds a new ExtendedObserver callback with a BOOTLOADER_STATUS callback type and BootloaderStatusData class. Use the class's isBootloaderUnlocked() method to check the status of the bootloader. For more information, see Callbacks on Android.

    On some older devices and non-GMS (Google Mobile Services) devices, it might not be possible to accurately determine the bootloader status. In these cases, App Shielding assumes the bootloader is locked to limit false positives.

    This option might have a negative effect on launch performance.

    Disable rooting checks in release mode

    You can now disable rooting checks also in the App Shielding release mode. If you disable the Check rooting configuration option, App Shielding does not run its rooting checks. Previously, the Check rooting option could only be disabled in debug mode.

    By default, the Check rooting configuration option is still enabled.

    Emulated input threshold increased

    The range of the recommended threshold for emulated input has been increased and lies now between 30 and 35 with a default value of 31.

    Fixes and other changes

    SHD-00002135: App terminated unexpectedly on Huawei devices

    Description: An issue in the guard process caused the application to terminate unexpectedly on Huawei devices.

    Status: This issue has been fixed.

    Empty value in getUntrustedScreenreaderSignature() method

    Description: The value of the getUntrustedScreenreaderSignature() method of the ScreenreaderData class was empty when the ExtendedObserver callback was used.

    Status: This issue has been fixed.

    Known limitations

    The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.

    Bypassing App Shielding protection in Cordova-based applications

    Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:

    1. It is not longer protected with App Shielding.

    2. It is signed with a different developer certificate.

    Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.

    OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.

    NFC payment failure in shielded apps with Thales Gemalto SDK

    Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.

    Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.

    It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!

    Magisk and root hider tools on new Android versions

    Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.

    On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.

    Android App Bundles

    The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant