This page is intended to provide quick answers to common questions.
Is freeRASP right for your app?
freeRASP is our community-driven security solution, ideal for early-stage development and low-risk applications. While it provides a solid foundation for mobile app protection, it’s best suited for environments where regulatory compliance and advanced protections are not critical.
Please take into account that:
freeRASP includes experimental capabilities and contributes to our continuous research, product improvement, and data insights.
It offers effective baseline protection for low-risk environments.
For applications requiring enhanced protection, compliance assurance, or long-term support, RASP+ offers extended capabilities and SLA-backed support.
To learn more about acceptable use and limitations, please refer to our .
How to determine the correct value for the supportedStores parameter?
The name of a wanted supported alternative store is in the form of its package name. You need to find out the package name of the application, which installs your application. For example, these are some package names of known alternative stores:
com.xiaomi.mipicks
com.vivo.appstore
com.heytap.market
There are also some services, which use package installer for distribution of the application, e.g. the App Center uses com.google.android.packageinstaller or com.android.packageinstaller.
When you put a mail address into the watcherMail parameter in TalsecConfig. Talsec registers this mail address and sends regular (weekly) security reports describing the application's security state and the characteristics of the devices it runs on, e.g. how many devices are rooted or if your application has been tampered with. See theSecurity Reportchapter for more details.
What is the difference between the Dev and Release versions?
The Dev version is used to simplify the development process of the application, e.g. if you would implement killing of the application on the debugger callback. It disables some checks which won't be triggered during the development process:
Emulator
Debugging
Tampering
Unofficial store
Obfuscation Issues
Developer Mode
If you want to use the Dev version to disable checks, you need to set isProd parameter to false in TalsecConfig object instance. By default, the isProd parameter is set to true.
How do I test callbacks to verify their functionality?
The easiest way how to produce an incident (trigger local check and create a record in the security report) is to install a release build on an emulator (e.g., Android Emulator, that comes with Android Studio). Both the app and freeRASP must be in release mode. You can also use a rooted Android device/emulator, in which case you create an incident event in debug mode.
NB: Debugging detection is disabled in debug mode to prevent false positives.
Are there different types of checks performed by freeRASP?
Internally, there are two types of checks:
one-time checks,
periodic checks.
One-time checks are executed only once when the app is launched and wasn't running in the background.
Periodic checks are performed regularly, at defined intervals (e.g. every X seconds or minutes).
Can the order of threat detection be configured in freeRASP?
Currently, there is no way to set the order of threat detection for freeRASP. The checks are performed asynchronously on Android and synchronously on iOS. If a check fails, the corresponding callback is executed.
What steps should I take when I'm upgrading from a previous version (<5.0.0) of freeRASP on Flutter?
There are a few steps to take when you want to do this. You need to remove the old TalsecRuntime.xcframework and integration script from your project:
Go to your project's ios folder.
Open Runner.xcworkspace in Xcode.
On the top bar select Product -> Scheme -> Edit Scheme....
On the left side select Build -> Pre-actions.
Find the integration script and click the trash icon on the right side to remove it.
Open the .flutter-plugins (in the root folder of the app), and get the address where the freeRASP is installed.
Go to the given folder, and remove the freerasp folder file.
Delete .symlinks folder from project.
Run pub get.
Run pod install to test it.
What happens if I use the free version of freeRASP and my application is downloaded more than 100k times?
The Fair Usage Policy applies if a customer’s app using freeRASP exceeds 100k downloads. This means that we count the total number of downloads (multiple downloads or updates from a single device are considered as one download).
we may use the app name in our PR communications
app security consolidated report can be stopped
This list of limitations is subject to change, and we plan to introduce additional requirements to be fulfilled over 100k downloads (like mentioning "Protected by freeRASP"). If these requirements are not fulfilled, the license for usage can be formally revoked.
How does integrating freeRASP affect the size of the APK?
In our experience, integrating freeRASP typically results in a more modest increase of around 10 MB in the APK size, as seen in the example app in the freeRASP project.
Does it cause performance issues if I put callbacks in multiple classes?
Putting callbacks into multiple classes shouldn't cause any performance issues, but while the general idea of dissolving checks all over the codebase is valid, you won't get many advantages, as an attacker can still circumvent duplicate sections.
Why the callbacks are not received immediately when coming from background?
Due to inevitable performance impact, freeRASP cannot perform security scans all the time, which means it can take some time to detect specific threats.
On the other hand, freeRASP performs specific checks like adbEnabled periodically. This periodicity interval is randomized, but no longer than four minutes and as of now it is not configurable. This approach helps keep your app responsive while still ensuring threat detection, though with a slight delay.
The only moment you are guaranteed all the detection will be triggered is just after the app launch. If, for example, ADB gets enabled after the app has started, you’ll need to wait for the next scan cycle to complete. Once that happens, the check will run again, and the callback will be triggered.
With Talsec, we offer additional solutions to help overcome this limitation:
If 100k downloads are exceeded, it means that you are violating the . Currently, we are not enforcing strong limitations. Only:
Generally, we recommend upgrading to a subscription over the 100k App downloads.
RASP+
RASP+ allows you to customize the detection interval in your own SDK build to better match your requirements. We’re also working on a dynamic interval management feature, which will give you even more control over how frequently each check runs. Additionally, RASP+ includes built-in threat responses, so you won’t have to wait for callbacks to react to detections.
For more details on the differences between freeRASP and RASP+, check out our GitBook:
AppiCrypt
AppiCrypt secures communication between your app and backend. It includes the results of the Talsec security audit, which you can verify server-side. This way, you can confirm that the device sending the request has passed the security checks before proceeding with further communication. Learn more about AppiCrypt here: .
Thank you for reading the freeRASP FAQ. If you didn't find the answer to your question, please do not hesitate to on the respective repository (preferably) or email support@talsec.atlassian.net.
