đŸĻ‰FAQ

This page is intended to provide quick answers to common questions.

How to determine the correct value for the supportedStores parameter?

The name of a wanted supported alternative store is in the form of its package name. You need to find out the package name of the application, which installs your application. For example, these are some package names of known alternative stores:

  • com.xiaomi.mipicks

  • com.vivo.appstore

  • com.heytap.market

There are also some services, which use package installer for distribution of the application, e.g. the App Center uses com.google.android.packageinstaller or com.android.packageinstaller.

See Detecting unofficial installation for more information.

How does the watcherMail parameter work?

When you put a mail address into the watcherMail parameter in TalsecConfig. Talsec registers this mail address and sends regular (weekly) security reports describing the application's security state and the characteristics of the devices it runs on, e.g. how many devices are rooted or if your application has been tampered with. See theSecurity Reportchapter for more details.

What is the difference between the Dev and Release versions?

The Dev version is used to simplify the development process of the application, e.g. if you would implement killing of the application on the debugger callback. It disables some checks which won't be triggered during the development process:

  • Emulator

  • Debugging

  • Tampering

  • Unofficial store

  • Obfuscation Issues

  • Developer Mode

If you want to use the Dev version to disable checks, you need to set isProd parameter to false in TalsecConfig object instance. By default, the isProd parameter is set to true.

How do I test callbacks to verify their functionality?

The easiest way how to produce an incident (trigger local check and create a record in the security report) is to install a release build on an emulator (e.g., Android Emulator, that comes with Android Studio). Both the app and freeRASP must be in release mode. You can also use a rooted Android device/emulator, in which case you create an incident event in debug mode.

NB: Debugging detection is disabled in debug mode to prevent false positives.

Are there different types of checks performed by freeRASP?

Internally, there are two types of checks:

  • one-time checks,

  • periodic checks.

One-time checks are executed only once when the app is launched and wasn't running in the background.

Periodic checks are performed regularly, at defined intervals (e.g. every X seconds or minutes).

Can the order of threat detection be configured in freeRASP?

Currently, there is no way to set the order of threat detection for freeRASP. The checks are performed asynchronously on Android and synchronously on iOS. If a check fails, the corresponding callback is executed.

What steps should I take when I'm upgrading from a previous version (<5.0.0) of freeRASP on Flutter?

There are a few steps to take when you want to do this. You need to remove the old TalsecRuntime.xcframework and integration script from your project:

  • Go to your project's ios folder.

  • Open Runner.xcworkspace in Xcode.

  • On the top bar select Product -> Scheme -> Edit Scheme....

  • On the left side select Build -> Pre-actions.

  • Find the integration script and click the trash icon on the right side to remove it.

  • Open the .flutter-plugins (in the root folder of the app), and get the address where the freeRASP is installed.

  • Go to the given folder, and remove the freerasp folder file.

  • Delete .symlinks folder from project.

  • Run pub get.

  • Run pod install to test it.

What happens if I use the free version of freeRASP and my application is downloaded more than 100K times?

It will mean that you violate the Fair Usage Policy. Currently, we are not enforcing strong limitations. Only:

  • we may use the app name in our PR communications

  • app security consolidated report can be stopped

This list of limitations is subject to change, and we plan to introduce additional requirements to be fulfilled over 100K downloads (like mentioning "Protected by freeRASP"). If these requirements are not fulfilled, the license for usage can be formally revoked.

Generally, we recommend upgrading to a Business RASP+ subscription over the 100K App downloads.

How does integrating freeRASP affect the size of the APK?

In our experience, integrating freeRASP typically results in a more modest increase of around 10 MB in the APK size, as seen in the example app in the freeRASP project.

Does it cause performance issues if I put callbacks in multiple classes?

Putting callbacks into multiple classes shouldn't cause any performance issues, but while the general idea of dissolving checks all over the codebase is valid, you won't get many advantages, as an attacker can still circumvent duplicate sections.

Thank you for reading the freeRASP FAQ. If you didn't find the answer to your question, please do not hesitate to create a GitHub issue on the respective repository (preferably) or email support@talsec.atlassian.net.

Last updated