LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • AI Device Risk Summary Demo | Threat Protection | Risk Scoring | Malware Detection | Android & iOS
    • Podcast: iOS Keychain vs Android Keystore
    • Obfuscation of Mobile Apps
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • šŸš€A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps šŸ›”ļø
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCryptĀ®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats šŸ›”ļø
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • šŸ”’ Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube
On this page
  • What is freeRASP?
  • Why Do You Need RASP?
  • Integrating freeRASP with Capacitor
  • Step 1: Install the Plugin
  • Step 2: Set Up Dependencies
  • Step 3: Setup Configuration and Callbacks
  • Additional Note About Obfuscation
  • Security Report
  • Commercial Versions (RASP+ and More)
  • Finally, stay protected before it’s too late šŸ˜Ž

Was this helpful?

  1. articles

Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats šŸ›”ļø

In an increasingly interconnected world, the need for robust application security has never been more critical. Capacitor, with its remarkable ability to build cross-platform apps using web technologi

PreviousFraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse PreventionNextSafeguarding Your Data in React Native: Secure Storage Solutions

Last updated 5 months ago

Was this helpful?

In an increasingly interconnected world, the need for robust application security has never been more critical. Capacitor, with its remarkable ability to build cross-platform apps using web technologies, empowers developers to create stunning applications with ease. However, as the capabilities of our apps grow, so does the importance of safeguarding them against a myriad of potential threats.

With a native runtime such as Capacitor, it is fairly easy to turn any web app into native apps for both Android and iOS. You can quickly use the native APIs and access common device functionality, which is awesome, but at the same time, it adds another level of complexity because when you access native APIs, you are imposing yourself to native security issues as well. And trust me, you don’t want to underestimate these challenges.

As a practical example, consider one of the most common security concerns: reverse engineering. Mobile apps are typically distributed in formats like APK (for Android), AAB (Android App Bundles), or IPA (for iOS). These distribution files contain bundled JavaScript code essential for the application’s functionality.

Successful attacks like these may lead to loss of revenue, exposure of sensitive data, damage to the brand and reputation or leaked intellectual property. And that’s where we want to help you.

What is freeRASP?

Talsec freeRASP is a freemium mobile security SDK designed to make app protection straightforward and accessible. It offers robust protection against a range of threats and is supported on both Android and iOS platforms. freeRASP also provides customized modules for a number of multi-platform tools, now including Capacitor.

From a developer’s perspective, freeRASP acts as an additional protective layer, simplifying the handling of certain attack vectors. This allows you to focus on other critical aspects of your app while safeguarding your users. freeRASP can detect and inform you about various attack scenarios, including reverse engineering, repackaging, cloning attempts, and much more.

Join us as we explore how freeRASP integrates with Capacitor, helping you defend your apps against attacks and vulnerabilities, and ultimately, ensuring your users’ safety. Say hello to enhanced security and peace of mind for your Capacitor apps — let’s dive in.

Why Do You Need RASP?

Mobile app security is a complex challenge that goes beyond traditional security measures like encryption and certificate pinning. Attackers constantly seek vulnerabilities in your app that may not be immediately obvious. A single security breach can have severe consequences for your reputation and user trust.

The need for Runtime Application Self-Protection (RASP) solutions has grown significantly with the rise of mobile technologies. While there are several security libraries available, freeRASP stands out by offering comprehensive protection across various attack vectors.

Based on our experience, a selection of the most common attacks include:

  • App repackaging and cloning

  • Re-publishing of tampered apps

  • Running the App in compromised OS environments (rooted/jailbroken OS, hooking app during runtime, emulators)

freeRASP is designed to detect and mitigate these types of attacks, providing an extra layer of defense against evolving threats.

Integrating freeRASP with Capacitor

Step 1: Install the Plugin

To get started, install the capacitor-freerasp plugin:

$ npm install capacitor-freerasp
$ npx cap sync

Step 2: Set Up Dependencies

For Android, ensure that your project’s minimum SDK level is set to 23. Update your variables.gradle file accordingly:

ext {
    minSdkVersion 23
    compileSdkVersion 33
    // ...
}

Step 3: Setup Configuration and Callbacks

Import freeRASP in your app’s entry point file:

import { startFreeRASP } from 'capacitor-freerasp';

Configure freeRASP by providing the necessary settings. You’ll need to specify configuration for both Android and iOS, as well as common configuration options. Here’s a sample configuration:

const config = {
  androidConfig: {
    packageName: 'com.yourapp.package',
    certificateHashes: ['yourSigningCertificateHashBase64'],
    supportedAlternativeStores: ['storeOne', 'storeTwo'],
  },
  iosConfig: {
    appBundleId: 'com.yourapp.bundle',
    appTeamId: 'yourTeamID',
  },
  watcherMail: 'yourEmailAddress@example.com',
  isProd: true,
};

Additional Note About Obfuscation

To enhance security, consider obfuscating your app’s code. Obfuscation makes it harder for attackers to reverse engineer your app and disrupt freeRASP’s operations. You can enable code minification and obfuscation for Android in your build.gradle file:

android {
    buildTypes {
        release {
            minifyEnabled true
            shrinkResources true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

Security Report

With this weekly summary, you get insights into your app’s security state, including detected threats and device characteristics. By keeping an eye on these reports, you can proactively address security issues before they become too severe and make your app even safer for users. If you are curious how such report looks like, take a look at the screenshot below šŸ‘‡.

Commercial Versions (RASP+ and More)

While freeRASP offers a robust free version, Talsec also provides commercial versions like RASP+ with advanced features and support. These versions offer additional protection, including API protection, App Integrity Cryptogram (AppiCryptĀ®), security hardening, and more.

RASP+ allows easy-to-implement API protection and App Integrity verification on the backend to prevent API abuse from:

  • Bruteforce attacks

  • Botnets

  • API abuse by App impersonation

  • Session-hijacking

  • DDoS

It is a unified solution that works across all mobile platforms without dependency on external web services (i.e., without extra latency, an additional point of failure, and maintenance costs).

Finally, stay protected before it’s too late šŸ˜Ž

If you read through the whole article, thank you. Maybe now it’s time to check out freeRASP. It’s free, so there’s nothing to lose and who knows, maybe it will save you from a couple of sleepless nights.

We’d be happy to read your thoughts in the comments below šŸ‘‡ or in one of our GitHub repos šŸ“„.

Written by Tomas Psota, developer @ Talsec

Despite attempts to obfuscate the code through minification and adhering to industry standards like , a person with the necessary knowledge can still extract your code with relative ease. There are even utilities like that can effectively reverse the minification and reveal the original code, potentially exposing sensitive keys and API calls. Afterwards, it’s all in the hands of the attacker.

Now, let’s dive into the process of integrating freeRASP with the Capacitor platform. You can always find up-to-date integration manual along with detailed description of configuration in our .

Learn more about commercial features at .

OWASP MASVS (Mobile Application Security Verification Standard)
JSTool
GitHub Integration Guide
talsec.app