Login
    Contents x
    Version 6.6.0 (July 2024)
    • 28 Oct 2024
    • 4 Minutes to read
    • Dark
      Light
    Contents

    Version 6.6.0 (July 2024)

    • Updated on 28 Oct 2024
    • 4 Minutes to read
    • Dark
      Light
    Article summary

    Supported platform versions

    • App Shielding version 6.6.0 was successfully tested with Android 15.

    • Android 5.0 (API level 21) – Android 15.

    • Shielding Tool:

      • Windows 10: 64-bit Java 17

      • Mac OSX (10.9+)

      • Ubuntu Linux 20.04 LTS or 22.04 LTS

    • The App Shielding Gradle plugin version 2.0 and later is supported.

      The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.

      The plugin and documentation can be downloaded from:

    Android platform updates

    The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.

    As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.

    Deprecations

    Platform minimum supported versions

    Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).

    Android Native Development Kit (NDK)

    Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).

    App Shielding switches to NDK r26 after its release as LTS version.

    New features and other updates

    Support for Android 15 (and 16KB page sizes)

    App Shielding now supports Android 15. If you want your protected app to run on Android 15, you must upgrade to this version of App Shielding. Beginning with version 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes.

    For more details, see https://developer.android.com/guide/practices/page-sizes.

    Security improvements

    Improved detection for Frida, FjordPhantom, and native code hooking has been implemented in App Shielding.

    Improved repackaging detection

    Improved repackaging detection has been implemented in App Shielding. (SHAND-4182).

    Improved emulated input detection

    Emulated input detection was improved to avoid false positives. For more information, see the entry for Check Emulated Input in the Configuration Options section of the Mobile Application Shielding Integration Guide. (SHAND-4298, SHAND-4256)

    Improved emulator detection

    Detection for the Redfinger Cloud Emulator has been implemented. (SHAND-4301)

    Fixes and other changes

    SHAND-4233: Forward Intent Data with ShieldSDK-activity-guard on Android 11 and newer

    Description: When an application was compiled with the ShieldSDK-activity-guard package, and the application was launched with an Intent that contained additional Intent Data, the Intent Data might not have been forwarded to the application.

    Status: This issue has now been fixed for Android 11 and later, though it might still cause issues on Android 10 and earlier.

    Known limitations

    The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.

    Bypassing App Shielding protection in Cordova-based applications

    Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:

    1. It is not longer protected with App Shielding.

    2. It is signed with a different developer certificate.

    Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.

    OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.

    NFC payment failure in shielded apps with Thales Gemalto SDK

    Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.

    Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.

    It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!

    Magisk and root hider tools on new Android versions

    Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.

    On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.

    Android App Bundles

    The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.

    SecureEditText in-app keyboard

    The SecureEditText in-app keyboard has focus problems on dialog windows on tablet devices.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant