Introduction
Welcome to Mobile Application Shielding for Android 8.0.1!
This is a release of Mobile Application Shielding, which contains enhancements and other product updates. It also contains a compatibility release (App Shielding for Android 8.0.1-SDKcompat) to support compatibility with third party SDKs (e.g., payment SDKS).
Except for the compatibility feature, there are no differences between App Shielding for Android 8.0.1-SDKcompat and App Shielding for Android 8.0.1. Thus, no separate set of documents has been provided for the compat release.
For more information about new features and fixed defects, refer to the respective chapters in this article. For information about configuring and using Mobile Application Shielding, see the Mobile Application Shielding Integration Guide. For more information about the compatibility release, see Mobile Application Shielding Compatibility release.
Supported platform versions
App Shielding version 8.0.1 was successfully tested with Android 16.
Android 5.0 (API level 21) – Android 16 (API level 36).
Shielding Tool:
Windows 10: 64-bit Java 17
Mac OSX (10.9+)
Ubuntu Linux 22.04 LTS or 24.04 LTS
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 16.
If you want your protected app to run on Android 15 or later, you must upgrade to App Shielding 6.6.0 or later.
Beginning with Android 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes. For more information, refer to the Android Developer documentation.
As of March 1, 2025, App Shielding for Android version 5.7.1.98641 and earlier are no longer supported. For more information, refer to the OneSpan Mobile Portal.
Deprecations
x86 platforms no longer supported
As of this version, App Shielding no longer supports x86 platforms.
Removal of deprecated API: ShieldSDK-secure-edit-text
The deprecated ShieldSDK-secure-edit-text API has been removed.
OneSpan Customer Portal decommissioned
The OneSpan Customer Portal has been officially decommissioned and replaced with the OneSpan Mobile Portal. For more information about how to use the OneSpan Mobile Portal, see the OneSpan Mobile Portal User Guide.
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
Memory Scan Detector
With the new Memory Scan detector, App Shielding checks for unauthorized memory access or scanning activity. If a malicious memory scan is detected, the application is terminated. Memory Scan is enabled by default and can be disabled with the new Check Memory Scan configuration option.
Fixes and other changes
Deadlock resolved
Description: When an ExtendedObserver instance was removed while handleCallback was active, a deadlock occurred.
Status: The provided example code no longer causes a deadlock:
```kotlin
package com.example
import no.promon.shield.callbacks.CallbackData
import no.promon.shield.callbacks.CallbackManager
import no.promon.shield.callbacks.ExtendedObserver
class ExampleObserver() : ExtendedObserver {
override fun handleCallback(data: CallbackData?) {
[...]
CallbackManager.removeObserver(this)
}
}
```RASP-4973: Error after downloading big file
Description: After successfully shielding a large application, App Shielding displayed a NoSuchKey error when the user tried to download the shielded application.
Status: This issue has been fixed. During the shielding process, App Shielding displays the log file with the shielding progress, and once shielding has completed, the user can download the app.
SHAND-4591: Improved rooting detection
The rooting detection has been improved when the shielded app has the QUERY_ALL_PACKAGES permission set for root hider tools.
SHAND-5028: Screenshots blocking issue
Description: Screenshots were incorrectly blocked even after an updatable configuration disabled the Block screenshots configuration option.
Status: This issue has been fixed.
SHAND-5061 and SHAND-5103: Stability and compatibility fixes
This version of App Shielding also resolves several stability issues and improves overall compatibility:
improved performance consistency by adjusting the internal toolchain
resolved rare unexpected termination that occurred in a race condition when activities where switched rapidly
addressed rare unexpected termination caused by memory access
SHAND-5086: APatch rooting detection
Initial detection has been added for APatch rooting when a module is enabled.
SHAND-5092: Smali Library update
The internal app parsing tool was replaced with the official Google version, adding support for Dex version 40.
SHAND-5108: Native Library Declaration update
Description: If the Shielding Tool was used to remove unsupported native libraries from a feature module in an app-bundle, bundletool build-apks (or bundletool validate) failed to handle the input app bundle.
Status: This issue has been fixed.
SHAND-5123: False positives for rooting and unlocked bootloader detection
Description: An aggressive bootlader state heuristic triggered false positives for rooting and unlocked bootloader detection.
Status: This issue has been fixed.
SHAND-5141: False rooting positives on GrapheneOS
Description: On GrapheneOS, a self-signed boot state triggered false rooting positives.
Status: This issue has been fixed.
SHAND-5143: Unblocking trusted screen reader issue
Description: An issue occurred with unblocking a trusted screen reader (e.g. TalkBack) when blockUntrustedScreenreaders was set, and the screen reader was enabled while the protected app was running.
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Methods to block screenshots also block screen mirroring tools
Description:The methods used to block screenshots also block some screen mirroring tools. However, the scrcpy tool is only blocked on Android 12 and later. On Android 15, this option also blocks partial screen sharing.
Bypassing App Shielding protection in Cordova-based applications
Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:
It is not longer protected with App Shielding.
It is signed with a different developer certificate.
Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.
OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.
NFC payment failure in shielded apps with Thales Gemalto SDK
Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.
Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.
It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.