- 28 Oct 2024
- 4 Minutes to read
- DarkLight
Version 7.0.1 (September 2024)
- Updated on 28 Oct 2024
- 4 Minutes to read
- DarkLight
Introduction
Welcome to Mobile Application Shielding 7.0.1!
The OneSpan Customer Portal only accepts connections via TLS 1.2 or later. Earlier versions are no longer supported because all versions of the TLS protocol prior to 1.2 have been deprecated.
This is a release of Mobile Application Shielding with issue fixes. For information about configuring and using Mobile Application Shielding, see Mobile Application Shielding Integration Guide.
On the OneSpan Customer Portal, the last 12 versions of Mobile Application Shielding are available for download. To maintain protection against the latest mobile threats, ensure to update Mobile Application Shielding to the latest version!
Supported platform versions
iOS 12.0 – iOS/iPadOS 18
With the end of support for iOS 9.0, support for 32-bit architectures also ended.
Shielding Tool:
Windows 10: 64-bit Java 17
Mac OSX (10.15+)
The Shielding Tool requires a macOS system to sign applications.
Ubuntu Linux 20.04 LTS or 22.04
Xcode 14.2 and later. We recommend using the latest Xcode version.
iOS platform updates
App Shielding version 7.0.1 is compatible with iOS/iPadOS 18.
As of March 1, 2024, App Shielding for iOS version 4.3.8.69424 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/ or the OneSpan Mobile Portal.
Platform minimum supported version
The minimum supported version is iOS 12. App Shielding no longer supports iOS 11.
Xcode
As of Xcode 14, Apple has deprecated bitcode.
As of App Shielding version 6.0.0, the Shielding Tool no longer supports bitcode-based code obfuscation!
Deprecated configuration options
A new way to protect against screenshots, screen recording, and screen mirroring has been implemented with the options Block external screens and Block screenshots. These options replace the old methods of screen protection. Accordingly, the the following options have been removed:
Exit on user screenshot
Exit on user screenshot URL
Prevent system screenshot
Prevent system schreenshot only in background
Prevent system screenshot bg color
Prevent system screenshot image path
Prevent system screenshot blur strength
Exit on screen recording
Exit on screen recording URL
Deprecated API
As of App Shielding version 6.5.0, the ShieldCallback API has been deprecated and will be removed in a future version. This API has been replaced with the new PRMShieldEventManager and PRMShieldEventDelegate protocols that have been integrated into the ShieldSDK callback APIs.
Removal of deprecated configuration option
The runtimeLibraryInjectionPreventionMode configuration option, deprecated as of App Shielding version 6.0.0 has been removed in this version of App Shielding.
New features and other updates
Support for iOS / iPadOS 18 and Xcode 16
App Shielding now supports iOS/iPadOS 18 and Xcode 16.
New options to protect against screenshots
Implemented a new way to protect against screenshots, screen recording, and screen mirroring. To enable this feature, enable the following configuration options:
Block screenshots
Block external screens
By default, Block external screens is enabled, and Block screenshots is disabled. These options replace the old methods of screen protection which have been removed. For more information, see Deprecations.
The Shielding Tool will throw an error and abort the shielding process if an obsolete option is used.
Fixes and other changes
App terminates unexpectedly on iOS 18
Description: App Shielding 6.6.1 works on iOS 18 with a limitation: if your application is built with Xcode 16 and shielded with App Shielding 6.6.1 or earlier, the application terminates unexpectedly on devices running on iOS 18.
Status: This issue has been fixed. To implement this fix, upgrade to App Shielding 7.0.1, or build your application with Xcode 15.x.
SHIOS-2439: Removed Runtime library injection prevention mode
The deprecated configuration option Runtime library injection prevention mode has now been removed.
SHIOS-3051: Reinstated Exit on debugger URL option
The configuration option Exit on debugger URL has been reinstated and is thus no longer deprecated.
RASP-4321 (Support case INC0013895): Updated iOS sample
The samples included in the App Shielding package for the iOS implementation have been updated to include the revised method for the screenrecording callback. This is the case for both Objective-C and Swift.
Updated method: screenRecordingStatus
The screenRecordingStatusChanged method has been deprecated and removed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Bypassing App Shielding protection in Cordova-based applications
Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:
It is not longer protected with App Shielding.
It is signed with a different developer certificate.
Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.
OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.
Xcode marks ShieldSDK.xcframework package as not signed/verified
Xcode marks the ShieldSDK.xcframework package as not signed or verified and might move it to quarantine mode. If Xcode displays a message like ShieldSDK.xcframework cannot be opened..., follow these steps to resolve it:
Select Cancel.
Open the macOS System Settings.
Navigate to Privacy & Security.
Scroll down to the security warning and select Allow Anyway.
This will be fixed as soon as possible.
External screen block
Blocking external screens (e.g. AirPlay) is currently not working for apps that use UISceneDelegate in iOS 13 and later.