Release Notes Mobile Application Shielding for Android Version 8.2.1 (December 2025)

On the Configuration page of the OneSpan Mobile Portal, you can now enable the Advanced Configuration mode. This allows you to toggle advanced detectors for specific security evasion tools. When disabled, the system applies a default configuration that minimizes false positives while maintaining robust security. Enabling specific detectors may affect app performance or increase the likelihood of false positives.

The following detectors are available:

• APatch Root detector

  Enabled by default. Increases the likelihood of false positives on non-rooted devices.

• TrickyStore detector

  Disabled by default. Identifies certain versions of the TrickyStore bypass tool (version <1.4.0) that is used to circumvent security checks.

• Strict hardware-backed Keystore detector

  Disabled by default. Only effective on Google or OnePlus, and may cause issues on non-Google certified devices and/or older devices.

Only enable the Advanced Configuration mode when instructed by the OneSpan Support team, as improper use may affect app stability.

OneSpan Jigsaw version 1.27 adds the "sectionRules" option to the "stripping" configuration. This allows you to control which ELF section headers to remove. For example:

"stripping": {
                "enabled": true,
                "sectionHeaders": true,
                "sectionRules": [ "*", "!.note*" ]
                }

To implement this premium feature in your integration, you need a license for OneSpan Code Obfuscation. For information how to obtain this, please contact your sales representative. For more information about the feature, see the product documentation (valid license required to access the documents).

With the launch of the new Premium feature, OneSpan Code Obfuscation for Native and JavaScript, the existing standard obfuscation configuration option was renamed to Obfuscation for DEX Bytecode on the OneSpan Mobile Portal, with the following changes:

• “Obfuscation & Rules” was changed to Obfuscation for DEX Bytecode

• “Obfuscate with Default rules” with the "Enable" checkbox were changed to Rules with a Default radio button, and

• the "Rules.cfg" field was changed to a Custom radio button with the Custom rules configuration field to customize the obfuscation settings via rules

The functionality of this feature has not changed, only the option has been renamed to avoid confusion with the new obfuscation feature. If you upgrade to a newer App Shielding version, your previous obfuscation rules configuration will be applied.

Description: Conflicting security checks for the payment SDK compatibility layer were not being disabled.

Status: This issue has been fixed.

• Improved the validation of checksumming configurations to prevent conflicting configurations.

• Updated the section header table stripping for ELF binaries to not strip the Android Build ID. This improves compatibility with crash reporting tools like BugSnag.

• Fixed an unexpected termination that sometimes occurred on arm64 binaries.

Description: The payment SDK compatibility layer has been improved with better performance and wider support for other security solutions.

The compatibility layer was introduced in App Shielding for Android 7.x, allowing the debugger detection in some payment SDKs to work together with the native App Shielding debugger protection. This feature can be enabled on request.

Description: The reliability of native code hook detection has been improved.

Description: Rooting detection has been improved.

Description: Support for security evasion tools has been added.

This feature is experimental and requires coordination with OneSpan Support.

Description: A rooting callback was not triggered if the callback observer attached after the initial rooting check.

Status: This issue has been fixed.

Description: Sometimes, a screen mirroring false positive occurred on foldable devices, where a secondary inactive screen was incorrectly detected as mirroring the first screen.

Status: This issue has been fixed.

Description: A repackaging false positive occurred after the user was prompted to update the app through Google Play.

Status: This issue has been fixed.

Description: An unexpected termination occurred on certain devices when App Shielding attempted to install hooks.

Status: This issue has been fixed.

Description: An unexpected termination could occur when the binding cache freed pull bindings.

Status: This issue has been fixed.

Description: An unexpected runtime termination could occur if the Shielding Tool integrator protected an app that had an empty DEX file.

Status: This issue has been fixed.

Description: The methods used to block screenshots also block some screen mirroring tools. However, the scrcpy tool is only blocked on Android 12 and later. On Android 15, this option also blocks partial screen sharing.

Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:

1. It is no longer protected with App Shielding.

2. It is signed with a different developer certificate.

Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.

OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.

Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.

Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.

It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!

Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.

On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.