# freeRASP for Kotlin Multiplaform Guide

Today, freeRASP is getting a new family member: a Kotlin Multiplatform (KMP) variant that lets you add runtime app protection to your shared Kotlin code and ship secure apps to both Android and iOS from a single codebase. Teams using KMP can now reuse the same security logic alongside business logic, without duplicating integrations or maintaining separate SDK wiring per platform.​

{% hint style="success" %}
**TL;DR:** Edit 6 project files plus add 2 framework folders; jump to full integration guide now: 

<a href="https://docs.talsec.app/freerasp/integration/kotlin-multiplatform" class="button secondary" data-icon="hand-back-point-right">Go to full KMP  guide</a>
{% endhint %}

### freeRASP for Kotlin Multiplatform

freeRASP itself is a lightweight mobile security library designed to detect common runtime threats such as rooting, jailbreaking, repackaging, reverse engineering, and emulator abuse. It connects to the Talsec Portal, providing real-time analytics and detailed security reports on detected risks. With the freeRASP for KMP variant, these protections are seamlessly integrated directly into the shared Kotlin module via a unified common API. This API intelligently abstracts over native Talsec components to execute platform-appropriate, low-level security checks.

The KMP variant is specifically designed for typical mobile KMP setups that target both Android and iOS. It utilizes the standard hierarchical source set structure (commonMain, androidMain, iosMain). This approach ensures that security logic is co-located efficiently with shared business logic while still allowing for necessary platform-specific configuration and customization when required.

<figure><img src="https://1548930415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNjTFXsqCLQ3RU2oA2uHC%2Fuploads%2FgNAx3wyivu6FJWPTLnde%2FKMP.png?alt=media&#x26;token=1489f4d7-70d1-4eed-a437-88fddd521562" alt=""><figcaption></figcaption></figure>

### Capabilities available in freeRASP for KMP

The KMP variant brings the same core detection categories that developers know from existing freeRASP integrations: ​

* Rooted or jailbroken devices, including popular tools such as Magisk and Dopamine
* Reverse engineering attempts and runtime hooking frameworks (for example, Frida or Xposed)
* Tampering or repackaging and installation from untrusted sources
* Emulators, app clones, multi‑instancing, screenshots, and screen recording attempts

You can react to these events through callbacks and monitor them later in the [Talsec Portal](http://my.talsec.app). The solution is designed to have minimal impact on app performance and to support [OWASP MASVS RESILIENCE](https://mas.owasp.org/MASVS/11-MASVS-RESILIENCE/#malware-and-testing-perspective) requirements out of the box.​

{% hint style="success" %}
Check out freeRASP homepage for more information: <https://docs.talsec.app/freerasp>
{% endhint %}

### Integration flow at a glance

```
[YourProjectName]/
├───build.gradle.kts                 
├───settings.gradle.kts              <-- Step 1: Add Dependency Repositories
├───gradle.properties            
├───gradle/
│   └───libs.versions.toml       
├───composeApp/      
│   ├───build.gradle.kts             <-- Step 1: Add Dependencies & Obfuscation
│   └───src/
│       ├───commonMain/          
│       │   └───kotlin/              <-- Step 3: Create SecurityManager.kt
│       ├───androidMain/         
│       │   ├───kotlin/
│       │   └───AndroidManifest.xml  <-- Step 2: Add Android Permissions
│       └───iosMain/             
│           └───kotlin/
└───iosApp/                  
    ├───iosApp.xcodeproj/            <-- Step 2: Link Frameworks in Xcode
    ├───iosApp/                  
    │   ├───ContentView.swift    
    │   └───iOSApp.swift         
    ├───TalsecBridge.xcframework/    <-- Step 2: Native iOS dependency
    └───TalsecRuntime.xcframework/   <-- Step 2: Native iOS dependency
```

1. **Add the freeRASP KMP dependency**
2. **Create configuration in shared code**
3. **Register callbacks for security events**

Implement callback handlers to react to detection events, for example by logging, displaying warnings, or triggering additional server‑side checks, using the common API exposed by the KMP library. Because callbacks live in shared code, behavior stays consistent across platforms.​

4. **Initialize freeRASP on startup**

From your platform‑specific entry points (for example, Android Application class and iOS App delegate or equivalent), call into shared code to initialize freeRASP with the configuration. This ensures the SDK starts early enough to observe the full app lifecycle.​

### Ideal use cases

The KMP variant fits several common scenarios especially well:​

* **Greenfield KMP apps** that want to ship secure Android and iOS builds **from day one**.
* Existing Android apps adopting a **shared KMP module** and planning to add an iOS client later
* Teams that already use freeRASP on one platform and want to consolidate security into shared Kotlin code

By keeping security logic close to shared domain logic, teams can better enforce consistent policies across platforms and simplify maintenance.​

### Roadmap and compatibility

freeRASP has a **long-standing track record** of protecting production apps on both Android and iOS, including through many OS, device, and ecosystem changes. The new Kotlin Multiplatform variant builds on this foundation, so teams can expect the same **stability and compatibility** when sharing security logic across platforms.​

The SDK evolves continuously to **keep pace with fresh reverse-engineering tactics**, **new jailbreak and root approaches**, and other **emerging attack techniques**, with updates captured in regular releases. The KMP library follows the same versioning and publishing conventions as the existing freeRASP SDKs, which keeps dependency management and CI/CD workflows predictable for engineering teams.​

For a concrete view of how the product evolves over time, including new detections, improvements, and fixes, you can review the full history in the freeRASP “**What’s New and Changelog**” page at <https://docs.talsec.app/freerasp/whats-new-and-changelog>.​

### Get started

To start using freeRASP for Kotlin Multiplatform today:

* **Follow the step‑by‑step integration** [**guide for KMP**](https://docs.talsec.app/freerasp/integration/kotlin-multiplatform)
* Explore the [Talsec Portal](http://my.talsec.app) to see how detected threats appear in dashboards, reports, and benchmarks
* Share feedback or issues via Github Issues

*Happy coding, Talsec Team* 💙

{% hint style="success" %}
Handle App Security with a Single Solution! Check Out Talsec's Premium Offer & Plan Comparison!<br>

#### Apps Security Threats Report 2025

<https://www.talsec.app/talsec-global-threat-report-2025>

#### Plans Comparison

<https://www.talsec.app/plans-comparison>

#### &#x20;Premium Products:

* [RASP+](https://app.gitbook.com/s/xFHPMAbn16uoDyOtoiaC/product/rasp) - An advanced security SDK that actively shields your app from reverse engineering, tampering, rooting/jailbreaking, and runtime attacks like hooking or debugging.
* [AppiCrypt](https://docs.talsec.app/premium-products/product/appicrypt) (Android & iOS) & [AppiCrypt for Web](https://app.gitbook.com/s/xFHPMAbn16uoDyOtoiaC/product/appicryptweb) - A backend defense system that verifies the integrity of the calling app and device to block bots, scripts, and unauthorized clients from accessing your API.
* [Malware Detection](https://docs.talsec.app/premium-products/product/malware-detection) - Scans the user's device for known malicious packages, suspicious "clones," and risky permissions to prevent fraud and data theft.
* [Dynamic TLS Pinning](https://docs.talsec.app/premium-products/product/app-hardening#about-dynamic-tls-pinning) - Prevents Man-in-the-Middle (MitM) attacks by validating server certificates that can be updated remotely without needing to publish a new app version.
* [Secret Vault](https://docs.talsec.app/premium-products/product/app-hardening#about-secret-vault) - A secure storage solution that encrypts and obfuscates sensitive data (like API keys or tokens) to prevent them from being extracted during reverse engineering.
  {% endhint %}