Home Articles Community Products Premium Products GitHub Talsec Website

Malware Detection Configuration

PreviousRequirements NextDetection Handling

Last updated 4 months ago

Malware Detection Configuration

Malware detection is an integral part of the freeRASP SDK and is configured using the same TalsecConfig object. Malware configuration in TalsecConfig allows you to customize the behavior of the malware detection feature.

To enable malware detection, extend the configuration used during the initial integration of the SDK:

// Android uses Builder pattern for configuration

TalsecConfig config = new TalsecConfig.Builder(context.getPackageName(), new String[] {CERTIFICATE_HASH})
        .blacklistedPackageNames(new String[]{"com.example.app"})
        .blacklistedHashes(new String[]{"exampleHash"})
        .suspiciousPermissions(new String[][]{{"android.permission.READ_CONTACTS"}, {"android.permission.SEND_SMS"}})
        .whitelistedInstallationSources(new String[]{"com.android.vending"})
        .build();

// Flutter uses nested malware configuration object (malwareConfig)

final config = TalsecConfig(
  androidConfig: AndroidConfig(
    /* other config parameters */
    // Malware Detection configuration object
    malwareConfig: MalwareConfig(
      blacklistedPackageNames: ['com.example.app'],
      blacklistedHashes: ['exampleHash'],
      suspiciousPermissions: [
        ['android.permission.CAMERA'],
        ['android.permission.READ_SMS', 'android.permission.READ_CONTACTS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    ),
  ),
  iosConfig: IOSConfig(/* other config parameters */),
  watcherMail: 'your_mail@example.com',
  isProd: true,
);

// React Native uses nested malware configuration object (malwareConfig)  

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

// Cordova uses nested malware configuration object (malwareConfig)  

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

// Capacitor uses nested malware configuration object (malwareConfig)   

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

It includes the following fields:

A list of package names , any app with a package name in this list will trigger a detection.
A list of APK hashes, which will trigger a detection. These hashes typically represent known malicious app versions.
A list of permissions that, if granted to another app, trigger a detection. You can specify single permissions or groups of permissions that, if requested together, are flagged as suspicious.
A list of trusted sources from which apps can be installed.

PreviousRequirements NextDetection Handling

Last updated 4 months ago

To enable malware detection, extend the configuration used during the initial integration of the SDK:

// Android uses Builder pattern for configuration

TalsecConfig config = new TalsecConfig.Builder(context.getPackageName(), new String[] {CERTIFICATE_HASH})
        .blacklistedPackageNames(new String[]{"com.example.app"})
        .blacklistedHashes(new String[]{"exampleHash"})
        .suspiciousPermissions(new String[][]{{"android.permission.READ_CONTACTS"}, {"android.permission.SEND_SMS"}})
        .whitelistedInstallationSources(new String[]{"com.android.vending"})
        .build();

// Flutter uses nested malware configuration object (malwareConfig)

final config = TalsecConfig(
  androidConfig: AndroidConfig(
    /* other config parameters */
    // Malware Detection configuration object
    malwareConfig: MalwareConfig(
      blacklistedPackageNames: ['com.example.app'],
      blacklistedHashes: ['exampleHash'],
      suspiciousPermissions: [
        ['android.permission.CAMERA'],
        ['android.permission.READ_SMS', 'android.permission.READ_CONTACTS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    ),
  ),
  iosConfig: IOSConfig(/* other config parameters */),
  watcherMail: 'your_mail@example.com',
  isProd: true,
);

// React Native uses nested malware configuration object (malwareConfig)  

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

// Cordova uses nested malware configuration object (malwareConfig)  

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

// Capacitor uses nested malware configuration object (malwareConfig)   

const config = {
  androidConfig: {
    ...
    malwareConfig: {
      blacklistedHashes: ['exampleHash'],
      blacklistedPackageNames: ['com.example.app'],
      suspiciousPermissions: [
        ['android.permission.BLUETOOTH', 'android.permission.INTERNET'],
        ['android.permission.BATTERY_STATS'],
      ],
      whitelistedInstallationSources: ['com.android.vending'],
    },
  }
}

It includes the following fields:

A list of package names , any app with a package name in this list will trigger a detection.
A list of APK hashes, which will trigger a detection. These hashes typically represent known malicious app versions.
A list of permissions that, if granted to another app, trigger a detection. You can specify single permissions or groups of permissions that, if requested together, are flagged as suspicious.
A list of trusted sources from which apps can be installed.