Mobile Application Shielding for Android Version 7.4.0 (May 2025)
- 22 May 2025
- 6 Minutes to read
- Print
- DarkLight
- PDF
Mobile Application Shielding for Android Version 7.4.0 (May 2025)
- Updated on 22 May 2025
- 6 Minutes to read
- Print
- DarkLight
- PDF
Article summary
The Mobile Application Shielding for Android version 7.4.0 introduces enhancements and updates, supporting Android versions from 5.0 to 15. Users are encouraged to upgrade to maintain protection against mobile threats. The Shielding Tool is compatible with Windows 10, Mac OSX, and Ubuntu Linux. Notably, the minimum supported Android version has shifted to 5.0, and deprecated features include the ShieldSDK secure edit text API and certain configuration options. Improvements include better compatibility checks and enhanced detection of emulated input and unlocked bootloaders. However, limitations persist, such as issues with blocking screenshots and potential vulnerabilities in Cordova-based applications. NFC payment failures with the Thales Gemalto SDK are noted, requiring allowlisting for compatibility. Additionally, root hider tools like Magisk may complicate detection of rooted devices on newer Android versions. Overall, the update aims to enhance security while addressing existing challenges.
Did you find this summary helpful?
Thank you for your feedback
Introduction
Welcome to Mobile Application Shielding for Android 7.4.0!
This is a release of Mobile Application Shielding, which contains enhancements and other product updates. For more information about new features and fixed defects, refer to the respective chapters in this document. For information about configuring and using Mobile Application Shielding, see the Mobile Application Shielding Integration Guide.
To maintain protection against the latest mobile threats, ensure to update Mobile Application Shielding to the latest version!
Supported platform versions
App Shielding version 7.4.0 was successfully tested with Android 15.
Android 5.0 (API level 21) – Android 15 (API level 35).
Shielding Tool:
Windows 10: 64-bit Java 17
Mac OSX (10.9+)
Ubuntu Linux 20.04 LTS or 22.04 LTS
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.
If you want your protected app to run on Android 15, you must upgrade to App Shielding 6.6.0 or later.
Beginning with Android 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes. For more information, refer to the Android Developer documentation.
As of March 1, 2025, App Shielding for Android version 5.7.1.98641 and earlier are no longer supported. For more information, refer to the OneSpan Mobile Portal.
Deprecations
OneSpan Customer Portal decommissioned
As announced over the previous months, with the launch of our new OneSpan Mobile Portal, we have now decommissioned our previous portal, the OneSpan Customer Portal. Our new OneSpan Mobile Portal offers enhanced features, stronger security, and a more intuitive user interface, designed to provide you with a superior experience. For more information about the OneSpan Mobile Portal, see How to use the OneSpan Mobile Portal.
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
Deprecated API: ShieldSDK-secure-edit-text
The ShieldSDK-secure-edit-text API has been marked as deprecated. It is no longer maintained and is considered obsolete. It will be removed in an upcoming release.
Deprecated configuration option removed: Allow work profile and device vendor virtual spaces
The Allow work profile and device vendor virtual spaces configuration option is now deprecated and has been removed. It has been replaced with the Check Private Space option.
For more information, see Configuration of App Shielding for Android apps.
Fixes and other changes
SHAND-4497: Improved compatibility check between the Shielding Tool and Shield SDK versions
Previously, the Shielding Tool checked that an application compiled with any Shield SDK modules had the same version number between the module(s) and the Shielding Tool. If it detected a different Shield SDK version, the Shielding Tool printed an error message like the following example and exited:
```
ERROR: Shield SDK module common detected with version 7.0.4, but expected version 7.4.0
ERROR: Cannot shield the application:
ERROR: Shield SDK version mismatch! The application needs to be compiled with the
Shield SDK that is delivered with the Shielding Tool. Either recompile your application with
Shield SDK version 7.4.0 or use Shielding Tool version 7.0.4.
```
Now, the Shielding Tool accepts older Shield SDK modules if they are binary compatible with the Shielding Tool version. That is, for patch level updates, the application does not need to be recompiled with new Shield SDK modules.
SHAND-4922: Improved emulated input detection
Detection of emulated input has been improved for several Honor devices.
SHAND-4931: Unlocked bootloader detection
The improved unlocked bootloader detection now supports Android 16 and detects an unlocked bootloader on several OnePlus devices. An unlocked bootloader allows the device to be flashed and rooted. It also suggests that the device might be running a custom and/or malicious operating system. Even though an unlocked bootloader on its own is not a security threat, it is often a first step to other potential attacks. Unlocked bootloader detection is enabled with the Check bootloader status configuration option. You can also use Exit on bootloader status to exit the app when an unlocked bootloader is detected.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Methods to block screenshots also block screen mirroring tools
Description:The methods used to block screenshots also block some screen mirroring tools. However, the scrcpy tool is only blocked on Android 12 and later. On Android 15, this option also blocks partial screen sharing.
Bypassing App Shielding protection in Cordova-based applications
Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:
It is not longer protected with App Shielding.
It is signed with a different developer certificate.
Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.
OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.
NFC payment failure in shielded apps with Thales Gemalto SDK
Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.
Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.
It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
Was this article helpful?