Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
See the most frequent issues occurring during integration.
The most frequent issues occurring during integration:
For more general issues or questions, visit FAQ page. You can also check out the Issues section of our GitHub repository, where you can report issues and view existing reports.
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for a detailed description of the attributes.
expectedPackageName
String
Package name of the app.
"com.talsec.freerasp.demoapp"
expectedSigningCertificateHashBase64
Array<String>
arrayOf( "mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=")
watcherMail
String?
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
"john@example.com"
supportedAlternativeStores
Array<String>
arrayOf( "com.sec.android.app.samsungapps")
isProd
Boolean?
Defaults to true when undefined. If you want to use the Dev version to make the development process viable, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
public class ThreatListenerpublic ThreatListener(@NonNull ThreatDetected threatsCallback, @Nullable DeviceState deviceStateCallback)
Listener for the threats detected by freeRASP
public void registerListener(Context context)
Registers your reactions to detected threats with freeRASP.
public void unregisterListener(Context context)
Unregisters the reactions to detected threats.
public static void start(Context context, TalsecConfig config)
The method used to start freeRASP's functionality.
public static void blockScreenCapture(Activity activity, boolean enable)
The method used to Block / Unblock screen Capture.
public static void isScreenCaptureBlocked()
The method used to Know the state of screen capture blocking whether blocked or not.
public interface ThreatDetectedvoid onRootDetected()
void onDebuggerDetected()
void onEmulatorDetected()
void onTamperDetected()
void onUntrustedInstallationSourceDetected()
void onHookDetected()
void onDeviceBindingDetected()
void onObfuscationIssuesDetected()
void onScreenshotDetected()
void onScreenRecordingDetected()
public interface DeviceStatevoid onUnlockedDeviceDetected()
void onHardwareBackedKeystoreNotAvailableDetected()
void onDeveloperModeDetected()
void onADBEnabledDetected()
void onSystemVPNDetected()
The general flow of the integration can be decomposed into the following steps:
Conforming to the prerequisites, e.g. setting up Android minSdkVersion.
Adding the dependency.
Setting up the configuration for the application, e.g. package name or whether it is production or not (see #dev-vs-release-version).
Handling the detected threats (callbacks).
Starting the SDK.
Enabling the source code obfuscation.
Become familiar with Security Report, User Data Policies and License.
Looking at , to provide an additional layer of protection by detecting malware or suspicious applications.
Looking at Features and Pricing plans if you are interested in more advanced solutions to protect your application and business.
The Dev version is used to not complicate the development process of the application, e.g. if you would implement killing of the application on the debugger callback. It disables some detections which won't be triggered during the development process:
Emulator/Simulator
Debugging
Tampering/Repackaging
Unofficial store/source
Obfuscation issues
Developer mode
ADB Enabled
Make sure that you use the Release version for the production.
Choose the relevant section based on your app development platform:
Let's learn the basics about freeRASP protection.
freeRASP is a lightweight and easy-to-integrate mobile security library designed to protect apps from potential threats during the application's runtime. It contains multiple security checks, each aimed to cover possible attack vectors to ensure a high level of application security.
freeRASP provides protection against potentially dangerous behaviour, including the following:
Using rooted or jailbroken devices (e.g., su, Magisk, unc0ver, check1rain, Dopamine).
Reverse engineering attempts.
Running hooking frameworks (e.g., Frida, Xposed or Shadow).
Tampering or repackaging the application.
Installing the app through untrusted methods/unofficial stores.
Running the app in various emulators.
Detecting Screenshot and Screen Recording attempts.
You can read more about the concept of RASP (Runtime application self-protection) here.
Reactions to various attacks and detected security threats via an API (callback mechanism).
Simple integration.
VPN and Developer Mode (Android) detection.
ADB, Developer Mode, USB debugging detections.
No significant effect on the app performance.
Weekly security report via email indicating the security status of devices and app integrity.
Fulfills OWASP MASVS-RESILIENCE requirements.
Limits of Fair Usage Policy (limited to 100k app downloads).
Data collection from your app to Talsec DB.
Security protections:
basic protection against root/jailbreak (including Magisk, Dopamine),
basic runtime reverse engineering controls,
basic runtime integrity controls.
No overlay and accessibility services misuse protection.
Learn more about the limitations of freeRASP here.
freeRASP is currently supported for:
Example:
freeRASP requires a minimum SDK level of 23. To update the minimum SDK level of the application, follow these steps:
From the root of your project (or module level), go to the build.gradle.
Update minSdkVersion to at least 23 (Android 6.0) or higher.
Set Talsec's Artifact Registry in your project's settings.gradle (or build.gradle). You should comment out the relevant section in settings.gradle, if you want to use build.gradle, as settings.gradle is preferred:
Make sure that Talsec's maven dependency is at the last position.
Set dependencies in your :app module's build.gradle:
Create an arbitrary subclass of Application(), override its onCreate()method and implement ThreatListener.ThreatDetected interface. You can, of course, use your Application subclass if you already have one in your project. If you encounter issues importing ThreatListener.ThreatDetected, please use 'Sync Project with Gradle Files' to resolve them.“
Add a new subclass to AndroidManifest.xml, inside <application> tag:
Implement methods of ThreatListener.ThreatDetected interface:
Optionally, you can use a device state listener to get additional information about the device state, like passcode lock and HW-backed Keystore state:
Optionally, you can integrate the screen capture methods to detect threats like screenshots - onScreenshotDetected() or screen recording - onScreenRecordingDetected(). If you do not implement the steps below, these detections will not work, in that case, you can just leave the implementations empty.
To use onScreenshotDetected() you have to be on Android 14+ (API 34+). Also, the application needs the following permission:
To use onScreenRecordingDetected() you have to be on Android 15+ (API 35+). Also, the application needs the following permission:
Modify initialization of ThreatListener:
You can make sure that the obfuscation is enabled by checking the value of minifyEnabled property in your module's build.gradle file.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Certificate hashes of your app. You must get your expected signing certificate hashes in Base64 form. You can go through to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
Package names of the alternative stores on which you are publishing the application. The Google Play Store and Huawei AppGallery, are included internally. (You can assign just emptyArray()). For more information, visit the wiki page.
Sends callbacks to your app when a threat is detected. Read more about the meaning of the callbacks in the .
Provides device state listener to get additional information about device state. Read more about the meaning of the device state listeners in the .
To ensure freeRASP functions correctly, you need to provide the necessary configuration. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided .
Set up the Configuration for your app with your values, which are explained in more detail in .
You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the to learn more details about the performed checks and their importance for app security.
For the onMalwareDetected(p0: MutableList<SuspiciousAppInfo>?) callback, make sure you visit , a powerful feature designed to scan for malicious or suspicious apps.
To utilize active protection, you can use Talsec.blockScreenCapture(activity, true). To receive whether the screen capture is blocked, you can use the Talsec.isScreenCaptureBlocked(). For more details about all these screen capture methods, see . Integration of all these methods should be performed at the Application level to best address the Android lifecycle:
Read more about why this is important in the.
Visit the repository to learn more about this feature! For the integration, refer to the for the Android platform.
See the most frequent issues occurring during integration.
Currently, there are no commonly present issues solely for the Native iOS development platform. For more general issues or questions, visit FAQ page. You can also check out the Issues section of our GitHub repository, where you can report issues and view existing reports.
From GitHub, Copy Talsec folder into your Application folder.
Drag & drop the Talsec folder to your .xcworkspace.
Add TalsecRuntime framework to Target > Build Phases > Link Binary With Libraries.
In the General > Frameworks, Libraries, and Embedded Content choose Embed & Sign.
Note: In case you are using Carthage, the zipped version of the framework is included in the GitHub Releases.
To ensure freeRASP functions correctly, you need to provide the necessary configuration. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided on the API page.
In the AppDelegate import TalsecRuntime and add the following code (e.g., in the didFinishLaunchingWithOptions method.:
It does not have to be AppDelegate, it can be anywhere. However, the recommended approach is to start the SDK as soon as possible.
You can handle the detected events using handlers. For example, you can log the event, show a window to the user or kill the application. See the Threat detection to learn more details about the performed checks and their importance for app security.
Anywhere in your project (e.g. in AppDelegate), add the following code as an extension:
Use the code above for handling these types of events:
Invoke the following method right after setting up the TalsecConfig in previous steps.
For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
appBundleIds
[String]
List of Bundle IDs for the app
["com.talsec.freerasp.demoapp"]
appTeamId
String
Apple Team ID for the signing of the app
"M8AK35..."
watcherMail
String?
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
"john@example.com"
isProd
Bool?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!
true
public class Talsecpublic static func start(config: TalsecRuntime.TalsecConfig)
The method used to start freeRASP's audit.
public protocol SecurityThreatHandlerfunc threatDetected(_ securityThreat: TalsecRuntime.SecurityThreat)
Notifier about detected threats.
public enum SecurityThreat : String, Codable, CaseIterable, Equatablesignature
jailbreak
debugger
runtimeManipulation
passcode
simulator
missingSecureEnclave
systemVPN
deviceChange
deviceID
unofficialStore
screenshot
screenRecording
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
AndroidConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
IOSConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
Future<void> start(TalsecConfig config)Starts freeRASP with configuration provided in config.
void attachListener(ThreatCallback callback)Attaches instance of ThreatCallback to freeRASP. If ThreatCallback is already attached, current one will be detached and replaced with callback. When threat is detected, respective callback of ThreatCallback is invoked.
ThreatCallbackThis page provides you with all the necessary information about for . Please read it carefully. If you have a question, don't hesitate to .
In this section, you will implement the imported freeRASP Action.
On your app's initial page, navigate to the UI Builder.
On the right panel, click on Actions.
In the Action Flow Editor box, click Open.
In the newly opened window, click on On Page Load at the top.
Click Add Action (or + and then Add Action, if you already have an Action).
On the right panel, search for the runRASP Custom Action.
Select the runRASP Action.
In the Set Function Arguments section, you will find the configuration-related arguments and several "onX" arguments. More about reactions in the .
The freeRASP Action requires several arguments to be filled to function. Some data are related to specific platforms.
If you are developing the application exclusively for one platform, you can omit the configuration part related to the other platform. If you don't want to provide configuration to an unrelated platform, provide an empty string:
Click the orange variable icon next to the Value label
Scroll down to Constants
Click Constant to expand the dropdown menu
Select Empty String
watcherMail is an email address designated for receiving security reports. Ensure that the email address follows the strict name@domain.com format.
packageName is a unique identifier for your Android application.
You can find the packageName value for your application in FlutterFlow settings:
Navigate to Settings and Integrations.
Locate and select App Details.
In the textbox labelled Package Name, you will find the package name associated with your application.
signingCertHash is a hash of the certificate of the key which was used to sign the application. The value of the hash must be encoded in Base64 form.
supportedStore is a third-party app store to which your application is uploaded. By including this store, freeRASP considers it as trusted source.
To add a store, add the package name of the store to the supportedStore list.
Google Play store and Huawei AppGallery are supported out of the box. You don't need to add them.
bundleId is a unique identifier for your iOS application.
teamId is a unique identifier assigned to a development team enrolled in the Apple Developer Program.
You can find your teamId on the Apple Developer portal:
Log in using the account that is used to sign and release your app.
Scroll down to the Membership details section.
Look for the line labelled "Team ID" - the value of your team will be displayed there.
To implement callback:
Open Action Flow Editor with runRASP action.
Open one of the dropdown menus labelled "onX" on the right panel (X for a given type of reaction, for example, onAppIntegrity)
In the Action Flow Editor box, click on Open.
Implement your reaction.
freeRASP for Flutter allows you to define multiple values for:
Signing certificate hash
Supported app store
Bundle ID
Currently, freeRASP supports only Android and iOS. When running the application in the FlutterFlow web client, freeRASP will not be initialized.
The minimum required Android SDK level for freeRASP is 23. FlutterFlow applications have a minimum SDK level of 21 by default.
This creates some restrictions:
Deploying the application from the FlutterFlow web client is not possible.
Downloading the APK from the FlutterFlow web client is not supported.
To overcome these limitations, we recommend following these steps:
Download the code.
Manually raise the SDK level in the build.gradle file to 23.
Deploy the application using Google Play Console.
Raising SDK version
From the root of your project, go to android > app > build.gradle
In defaultConfig update minSdkVersion to at least 23 (Android 6.0) or higher
Example:
The freeRASP has the following prerequisites that must be met before starting.
freeRASP requires a minimum SDK level of 23. Some versions of Flutter projects, by default, support even lower levels of minimum SDK. This creates an inconsistency we must solve by updating the minimum SDK level of the application:
From the root of your project, go to android > app > build.gradle.
In defaultConfig, update minSdkVersion property to at least 23 (Android 6.0) or higher.
Xcode 15 is required to be able to build the application
Run the following command inside the project directory to add the freeRASP dependency:
In the entry point to your app, import freeRASP and add the following code:
It is necessary that Flutter Bindings are initialized. This can be satisfied by calling WidgetsFlutterBinding.ensureInitialized(), as shown in the code snippet above.
freeRASP reacts to threats using ThreatCallback. Internally, each threat has its own callback (of VoidCallback type), which is called when a threat is detected.
Start freeRASP to detect threats just by adding this line below the created config and the callback handler:
In order to provide as much protection as possible, freeRASP enhances security measures by implementing ProGuard consumer rules, which obfuscate specific sections of the SDK. However, these rules are applied to your Android app code as well due to inheritance.
In certain cases, you may prefer to exclude this rule.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Provides all types of threats detected by freeRASP. Read more about the meaning of the threats in the .
A class which represents a set of callbacks that are used to notify the application when certain security threat is detected. Read more about the meaning of the callbacks in the .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
Do NOT use solutions such as to provide the value of the package name! The package name has to be hardcoded.
More about signing hash and how to obtain it in .
More about bundle ID and how to obtain one: .
Go to the website: .
The freeRASP Action offers multiple callbacks for handling threats. A callback is an that gets triggered when a threat is detected.
Visit to learn more details about the performed checks and their importance for app security.
Due to FlutterFlow's limitations, the current implementation of freeRASP for FlutterFlow only allows you to specify a single value for each of these attributes. If want to provide more values, you can download the code and adjust those parameters manually (see )
To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Detailed descriptions of the configuration options are provided.
For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the in the wiki to learn more details about the performed checks and their importance for app security.
For the version you’re integrating, you can find the specific dSYMs for debugging in .
To remove the rule, you need to find freerasp in your cache folder. More about where to find the cache folder . Then navigate to the freerasp-X.Y.Z/android/build.gradle file and delete the line:
Read more about why obfuscation is important in the.
Visit the repository to learn more about this feature! For the integration, refer to the for the Flutter platform.
For more general issues or questions, visit page. You can also check out the , where you can report issues and view existing reports.
Solution: The simulator does not support the release build of Flutter - more about it . Use a real device in order to build the app in release mode.
Solution: Technical limitation of Flutter - more about it . Use command flutter run to launch the app (i.e. run the app from scratch).
For more general issues or questions, visit page. You can also check out the , where you can report issues and view existing reports.
androidConfig
AndroidConfig?
Configuration for Android apps
any AndroidConfig instance
iosConfig
IOSConfig?
Configuration for iOS apps
any IOSConfig instance
watcherMail
String
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
'john@example.com'
isProd
bool?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
packageName
String
Package name of the app.
'com.talsec.freerasp.demoapp'
signingCertHashes
List<String>
Certificate hashes of your app.
['mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=']
supportedStores
List<String>
Package names of the alternative stores. If you publish on the Google Play Store and Huawei AppGallery, as these are already included internally. (You can assign just emptyArray()). For more information, visit the Detecting Unofficial Installation wiki page.
[ 'com.sec.android.app.samsungapps']
bundleIds
List<String>
List of Bundle IDs for the app
['com.talsec.freerasp.demoapp']
teamId
String
Apple Team ID used in the app
'M8AK35...'
onPrivilegedAccess
VoidCallback?
onDebug
VoidCallback?
onSimulator
VoidCallback?
onAppIntegrity
VoidCallback?
onUnofficialStore
VoidCallback?
onHooks
VoidCallback?
onDeviceBinding
VoidCallback?
onDeviceID
VoidCallback?
onPasscode
VoidCallback?
onSecureHardwareNotAvailable
VoidCallback?
onObfuscationIssues
VoidCallback?
onDevMode
VoidCallback?
onADBEnabled
VoidCallback?
onSystemVPN
VoidCallback?
See the most frequent issues occurring during integration.
The most frequent issues occurring during integration:
For more general issues or questions, visit FAQ page. You can also check out the Issues section of our GitHub repository, where you can report issues and view existing reports.
freeRASP for React Native is a bare React Native plugin. When installing freeRASP into a project that uses Expo SDK, there may be extra configuration needed.
To integrate freeRASP into the Expo projects, follow the instructions for React Native. After that, continue on this page.
We provide a plugin config that sets up the dependencies of freeRASP without the need to eject the Expo project. It is recommended to use the plugin config. However, manual setup is also possible.
Add the plugin config to your app.json and specify the minSdkVersion (use at least 23). Additionally, if you are using Expo 50, increase the version of R8 above 8.2 with the R8Version property (to support sealed classes on Android).
Increase minSdkVersion
This can be done in two ways:
update the minSdkVersion property directly in android/build.gradle, or
use expo-build-properties plugin, which updates the property in the prebuild phase. Read more in the Expo docs.
Add maven dependency
open android/build.gradle (if you don't see the android folder, run npx expo prebuild -p android in terminal to create it)
add the following dependency under allprojects > repositories:
if not already configured, add also:
The freeRASP has the following prerequisites that must be met before starting.
The Android implementation uses Kotlin serialization plugin; following line has to be added to the plugins block in platforms/android/build.gradle:
freeRASP requires minSdkVersion level of >=23, targetSdkVersion level of >=31 and Kotlin support. Add the following lines to the config.xml file in your project root directory.
Then run the following command to apply the preferences:
freeRASP plugin uses Swift. Install the following plugin to support Swift in your project.
Install the plugin using Cordova CLI
To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided on the API page.
For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through this manual to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
In the the entry point to your app, import freeRASP and add the code below.
freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the Threat detection in the wiki to learn more details about the performed checks and their importance for app security.
Threat reactions can be specified inside a JavaScript object, which is then passed into the initialization function:
freeRASP can be started after the Cordova initialization is completed, for example, inside the onDeviceReady function in the index.js.
For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.
The easiest way to obfuscate your app is via code minification, a technique that reduces the size of the compiled code by removing unnecessary characters, whitespace, and renaming variables and functions to shorter names. It can be configured for Android devices in android/app/build.gradle like so:
Additionally, create or extend proguard-rules.pro in android/app folder and exclude Cordova’s specific classes that rely on package names from being obfuscated:
Please note that some other modules in your app may rely on reflection, therefore it may be necessary to add corresponding keep rules into proguard-rules.pro file.
If there is a problem with the obfuscation, freeRASP will notify you about it via obfuscationIssues callback.
Read more about why this is important in the wiki.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Visit the freeMalwareDetection repository to learn more about this feature! For the integration, refer to the integration guide for the Cordova platform.
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
androidConfig
AndroidConfig?
Configuration for Android apps
any AndroidConfig instance
iosConfig
IOSConfig?
Configuration for iOS apps
any IOSConfig instance
watcherMail
string
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
'john@example.com'
isProd
boolean?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
AndroidConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
packageName
string
Package name of the app.
'com.talsec.freerasp.demoapp'
certificateHashes
string[]
Certificate hashes of your app.
['mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=']
supportedAlternativeStores
string[]
[ 'com.sec.android.app.samsungapps']
IOSConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
appBundleId
string
Apple Bundle ID for the app
'com.talsec.freerasp.demoapp'
appTeamId
string
Apple Team ID used in the app
'M8AK35...'
NativeEventEmitterActionsSpecifies a set of callbacks that are used to notify the application when certain security threat is detected.
privilegedAccess
() => any
debug
() => any
simulator
() => any
appIntegrity
() => any
unofficialStore
() => any
hooks
() => any
deviceBinding
() => any
deviceID
() => any
passcode
() => any
secureHardwareNotAvailable
() => any
obfuscationIssues
() => any
devMode
() => any
adbEnabled
() => any
systemVPN
() => any
const start = async (config: FreeraspConfig, eventListenerConfig: NativeEventEmitterActions): Promise<void>Method is used to start freeRASP's audit and set up listeners for threats.
The freeRASP has the following prerequisites that must be met before starting.
freeRASP requires a minimum SDK level of 23. React Native projects, by default, support even lower levels of minimum SDK. This creates an inconsistency we must solve by updating the minimum SDK level of the application:
From the root of your project, go to android > build.gradle.
In buildscript, update minSdkVersion to at least 23 (Android 6.0) or higher.
freeRASP React Native plugin uses Pods. Navigate to the ios folder and run:
Install the plugin using your preferred package manager
Navigate to the ios folder and run:
To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided on the API page.
In the the entry point to your app, import freeRASP and add the code below.
For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through this manual to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
FreeRASP provides a React Custom Hook that handles all required logic as registration of freeRASP, mounting and unmounting of listeners for you.
freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the Threat detection in the wiki to learn more details about the performed checks and their importance for app security.
Threat reactions should be specified inside a JavaScript object.
Start freeRASP to detect threats by calling the useFreeRasp hook, below the created config and the callback handler:
Please note that useFreeRasp Hook should be called outside useEffect.
When freeRASP initializes correctly, you should see freeRASP initialized message in the logs. Otherwise, you'll see a warning with a description of what went wrong.
You can override this default behaviour by extending the actions object with started key (to change action after successful initialization), and initializationError key (to set up action after unsuccessful initialization)
For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.
Import methods from the freeRASP plugin:
Override componentDidMount() method in the entry point to your app set listeners to threats and start freeRASP:
In this code snippet, actions is object with your reactions to threats and config is a freeRASP configuration object from previous parts of the readme.
Override componentWillUnmount() method where you clean up the listeners:
The easiest way to obfuscate your app is via code minification, a technique that reduces the size of the compiled code by removing unnecessary characters, whitespace, and renaming variables and functions to shorter names. It can be configured for Android devices in android/app/build.gradle like:
Please note that some other modules in your app may rely on reflection, therefore it may be necessary to add corresponding keep rules into proguard-rules.pro file.
If there is a problem with the obfuscation, freeRASP will notify you about it via obfuscationIssues callback.
Read more about why this is important in the wiki.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Visit the freeMalwareDetection repository to learn more about this feature! For the integration, refer to the integration guide for the React Native platform.
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
androidConfig
AndroidConfig?
Configuration for Android apps
any AndroidConfig instance
iosConfig
IOSConfig?
Configuration for iOS apps
any IOSConfig instance
watcherMail
string
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
'john@example.com'
isProd
boolean?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
AndroidConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
packageName
string
Package name of the app.
'com.talsec.freerasp.demoapp'
certificateHashes
string[]
Certificate hashes of your app.
['mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=']
supportedAlternativeStores
string[]
[ 'com.sec.android.app.samsungapps']
IOSConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
appBundleId
string
Apple Bundle ID for the app
'com.talsec.freerasp.demoapp'
appTeamId
string
Apple Team ID used in the app
'M8AK35...'
NativeEventEmitterActionsSpecifies a set of callbacks that are used to notify the application when certain security threat is detected.
privilegedAccess
() => any
debug
() => any
simulator
() => any
appIntegrity
() => any
unofficialStore
() => any
hooks
() => any
deviceBinding
() => any
deviceID
() => any
passcode
() => any
secureHardwareNotAvailable
() => any
obfuscationIssues
() => any
devMode
() => any
adbEnabled
() => any
systemVPN
() => any
const useFreeRasp = (config: TalsecConfig, actions: NativeEventEmitterActions)React Custom Hook responsible for starting freeRASP and setting up listeners
const setThreatListeners = async (config: NativeEventEmitterActions): voidSets up listeners for detected threats
const talsecStart = async (options: TalsecConfig): Promise<string>Method is used to start freeRASP's audit. Returns 'freeRASP started'string when successful.
const removeThreatListeners = (): voidUnregisters threat listeners. Should be called only when the app is being terminated.
The freeRASP has the following prerequisites that must be met before starting.
freeRASP for Android requires a minSdkVersion level of >=23 and a targetSdkVersion level of >=33. Some Capacitor projects, by default, support even lower levels of minimum and target SDKs. This creates an inconsistency we must solve by updating the SDK levels of the application:
From the root of your project, go to android > variables.gradle (or equivalent).
In ext, update minSdkVersion to at least 23 (Android 6.0) and compileSdkVersion to at least 33 (Android 13) or higher.
Install the plugin using your preferred package manager
Synchronize the project files across native platforms
To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided on the API page.
For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through this manual to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
In the the entry point to your app, import freeRASP and add the code below.
freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the Threat detection in the wiki to learn more details about the performed checks and their importance for app security.
Threat reactions can be specified inside a JavaScript object, which is then passed into the initialization function:
Pass the configuration and reactions you set up in previous steps into startFreeRASP function.
Based on your framework, we recommend:
In React: Wrap this function in useEffect with an empty dependency array
In Vue: Call the method inside the mounted property
In Angular: Call the method inside the ngOnInit method
For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.
The easiest way to obfuscate your app is via code minification, a technique that reduces the size of the compiled code by removing unnecessary characters, whitespace, and renaming variables and functions to shorter names. It can be configured for Android devices in android/app/build.gradle like so:
Please note that some other modules in your app may rely on reflection, therefore it may be necessary to add corresponding keep rules into proguard-rules.pro file.
If there is a problem with the obfuscation, freeRASP will notify you about it via obfuscationIssues callback.
Read more about why this is important in the wiki.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Visit the freeMalwareDetection repository to learn more about this feature! For the integration, refer to the integration guide for the Capacitor platform.
See the most frequent issues occurring during integration.
Currently, there are no commonly present issues solely for the Capacitor development platform. For more general issues or questions, visit page. You can also check out the , where you can report issues and view existing reports.
Information about collected data
freeRASP collects anonymized security diagnostics data from apps. These data contain:
Application state and security.
Device state and security.
Anonymous app instance ID and device ID.
This information allows Talsec to provide a , improve the freeRASP product and even the , or prepare mobile security reports and articles.
Data collection can be disabled or configured to a custom customer-owned logging service in
All the data collected by the freeRASP is technical diagnostics information and anonymous, but depending on the regulations applied, it could be considered sensitive and/or personal data.
Talsec recommends adding the statement below to the dedicated privacy policy page of your app. You can also use the text below while filling in the or publishing.
Google Play requires all app publishers to declare how they collect and handle user data for the apps they publish on Google Play. They should inform users properly of the data collected by the apps and how the data is shared and processed. Google will reject the apps which do not comply with the policy.
More about Google Play's Data safety .
The checks for the Google Play and details about data are specified above in .
Apple requires that all app developers disclose their data collection and handling practices for apps published on the App Store. Developers must clearly inform users about the data their apps collect, as well as how this data is shared and processed. Apps that do not adhere to Apple's data privacy guidelines will be rejected.
To comply with the policy, in the App Privacy section, it is important to check the following:
Identifiers -> Device ID -> App Functionality
Talsec Security SDK can not link the device identifier to the user
Diagnostics -> Performance Data -> App Functionality, Other Purposes, No for linking to the user
Diagnostics -> Other diagnostics data -> App Functionality, Other Purposes, No for linking to the user
Other data -> App Functionality, No for linking to the user
Security diagnostics data (such as jailbreak)
Google Play’s User Data policy indicates that a prominent disclosure should be presented to the users in case of an app collecting personal or sensitive data.
Although freeRASP collects diagnostical data (anonymous and not user-related), you (as the app publisher) should consider adding a disclosure screen, describing why the security diagnostic data is needed, what data, and how the data is used.
Weekly security status check of your application
The Security Report is a weekly summary describing the application's security state and characteristics of the devices it runs on in a practical and easy-to-understand way.
The report provides a quick overview about
Security incidents and their dynamics
App Integrity
Reverse engineering attempts
It also contains information about devices such as
OS version
Ratio of devices with lock screens
Ratio of devices with biometrics
Each visualization also comes with a concise explanation. To receive Security Reports, you need to fill out the watcherMail correctly. There can be only one mail value set up.
If you want to learn about the differences between freeRASP and BusinessRASP+, you’re in the right place. On this page, we’ll explore the key features and benefits of each option, compare their functionalities, and highlight how the BusinessRASP+ subscription can offer enhanced capabilities and support compared to the freeRASP plan. By the end, you’ll have a clear understanding of which solution best meets your needs and how to make the most of it.
freeRASP is a freemium product, which means there are Fair Usage Policy conditions (over 100k downloads) for using it. This means that we count the total number of downloads, where multiple downloads or updates from a single device are considered as one download. For using freeRASP, please refer to the .
and are premium products with a subscription model (which includes SW licenses, SLA, maintenance updates, and more) for SDKs. It is not SaaS, which means we don't introduce any dependency on third-party web services for your mobile solution.
Talsec doesn't collect any customer data within RASP+, while freeRASP SDK sends the diagnostical information to Talsec servers to provide clients with regular security reports and improve the product. You should consider adding Talsec to the list of Data Processors in case of freeRASP usage.
Here are the top 10 benefits of choosing a Talsec RASP+ Business subscription, which includes an SDK license, SLA, and additional services, compared to the freeRASP option.
Description of the freeRASP API
FreeraspConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
AndroidConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
IOSConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
NativeEventEmitterActionsSpecifies a set of callbacks that are used to notify the application when certain security threat is detected.
const startFreeRASP = async (config: FreeraspConfig, reactions: NativeEventEmitterActions): Promise<bool>Method is used to start freeRASP's audit and set up listeners for threats. Returns true when successful.
const removeThreatListeners = (): voidUnregisters threat listeners. Should be called only when the app is being terminated.
Talsec offers enhanced features and benefits with our BusinessRASP+ plans, building on top of our freeRASP offering. Here’s what you can expect:
No limitations of freeRASP's : Have an unrestricted number of app downloads* (beyond the 100k cap of freeRASP).
No Data Collection to Talsec Database: Your app's data are sent to your data collection services. You can even disable data collection.
FinTech Grade Security: Experience advanced security features and service level agreements (SLAs) tailored for the financial technology sector.
Bypass Protection: Business RASP+ offers enhanced security with app-specific SDK customization, while freeRASP uses a universal binary that is more susceptible to bypass.
Enhanced API Protection: Safeguard your APIs and benefit from risk scoring with our proprietary technology, .
For further details, please refer to the .
One of the most valued commercial features is - App Integrity Cryptogram.
It allows easy-to-implement API protection and App Integrity verification on the backend to prevent API abuse:
Bruteforce attacks
Botnets
API abuse by App impersonation
Session-hijacking
DDoS
It is a unified solution that works across all mobile platforms without dependency on external web services (i.e., without extra latency, an additional point of failure, and maintenance costs).
Learn more about commercial features at .
You can try freeRASP and then upgrade easily to an enterprise service.
freeRASP is freemium software, i.e. there is a Fair Usage Policy (FUP) that imposes some limitations on free usage. See the FUP section in the table below
*The Fair Usage Policy refers to the total number of downloads, where multiple downloads or updates from a single device are counted as one download.
Stay up-to-date with the latest features, improvements and bug fixes for freeRASP. Here you'll find detailed information about each update we've rolled out, organized by platform. Whether you're using the Android, iOS, Flutter, React Native, Capacitor, or Cordova version, all platforms are supported.
Explore the tabs below to see what's new and how the experience has been improved for you. If you're looking for specific changes or features, each update is documented for your convenience.
❗️Added onScreenshotDetected() - detection of screenshots, refer to the .
❗️Added onScreenRecordingDetected() - detection of screen recording, refer to the .
Improvement
Added blockScreenCapture(Activity activity, boolean enable) for FLAG_SECURE control, an active protection against screen capturing.
isScreenCaptureBlocked() - to receive whether the screen capture is blocked
Rate limiting for both screenshot and screenRecording incidents
Improved root detection capabilities
Bug Fix
Updated proguard rules to fix warnings from okhttp dependency.
Added request integrity information to data collection headers.
Enhanced and accelerated the data collection logic.
BREAKING CHANGE: Added onADBEnabledDetected detection feature, which allows you to detect USB debugging option enabled in the developer settings on the device. App needs to implement this new callback.
Refactored Magisk checks in the root detection
Internal refactoring of Malware detection feature
Bug Fix
Resolved IllegalArgumentException caused by unregistering not registered receiver in TalsecMonitoringReceiver
Reported crashes caused by the UnsupportedOperationException were resolved.
False positives in Hook detection (runtimeManipulation).
Added onMalwareDetected to ThreatListener.ThreatDetected interface, this is a breaking change and the onMalwareDetected has to be implemented by the integrating application.
Important Information
Further details for this feature will be provided shortly with the new repositories.
For now, do not react to the callback, you can implement it simply by just using println().
Added the auditing of the internal execution for the future check optimization and overall security improvements.
Changed the way TalsecConfig is created, we introduced a Builder pattern to make the process more streamlined and readable.
Refactored fetching the list of installed applications for root and hook detection.
Fixed native crashes (SEGFAULT errors) in ifpip method.
Two new threat callbacks, onDeveloperModeDetected and onSystemVPNDetected, have been added for detecting Developer mode and System VPN.
Updated GMS dependency to a newer version for improved performance and compatibility.
Updated CA bundle to enhance security for secure connections.
Resolved a problem with displaying the Arabic alphabet in logs caused by the device’s default system locale.
Updated freeRASP SDK artifact hosting ensuring better stability and availability.
Shortened duration of threat evaluation.
Improved appIntegrity check and its logging.
Updated CURL to 8.5.0 and OpenSSL to 1.1.1w.
Fixed a native crash bug during one of the native root checks (detected after NDK upgrade).
Increased the compileSdk and targetSdk in the demo application.
Updated dependencies in the demo application.
Updated SDK code signing; it will now be signed with:
Team ID: PBDDS45LQS
Team Name: Lynx SFT s.r.o.
Renewed the signing certificate.
Added request integrity information to data collection.
Significantly improved the response time from data collection service.
Added new threat callback systemVPN for System VPN detection.
Passcode check is now performed periodically.
Updated the CA bundle to enhance security for secure connections.
Resolved a problem with displaying the Arabic alphabet in logs caused by the device’s default system locale.
Added Privacy Manifest.
Added codesigning for the SDK, it is signed by:
Team ID: ASQC376HCN,
Team Name: AHEAD iTec, s.r.o..
Updated CURL to 8.5.0 and OpenSSL to 1.1.1w.
Improved obfuscation of Swift and C strings.
App icons for detected malware are not fetched automatically anymore, which reduces computation required to retrieve malware data. From now on, app icons have to be retrieved using the getAppIcon method
[Android] Malware data is now parsed on background thread to improve responsiveness.
[Android] onADBEnabled callback, allowing you to detect USB debugging option enabled in the developer settings on the device.
[Android] Malware detection as a new callback for enhanced app security.
[Android] Internal refactoring of Malware detection feature.
[Android] Refactoring Magisk checks in the root detection.
Maintenance
[iOS] Updated SDK code signing; it will now be signed with:
Team ID: PBDDS45LQS
Team Name: Lynx SFT s.r.o.
[Android] Resolved IllegalArgumentException caused by unregistering not registered receiver in TalsecMonitoringReceiver
[iOS] Renewed the signing certificate.
[Android] Reported crashes caused by the UnsupportedOperationException were resolved.
[Android] False positives for hook detection.
[Android] Added the auditing of the internal execution for the future check optimization and overall security improvements.
[Android] TalsecConfig creation was migrated to a Builder pattern.
[Android] Refactored fetching the list of installed applications for root and hook detection.
[iOS] Enhanced and accelerated the data collection logic.
[Android] Native crashes (SEGFAULT) in ifpip method.
Added new threat Threat.systemVPN for VPN detection.
Added new callback onSystemVPN in ThreatCallback for handling Threat.systemVPN threat.
[Android] Added a new threat detection feature, Threat.devMode, to identify Developer mode.
[Android] Added a new callback onDevMode in ThreatCallback for handling Threat.devMode threat.
Increased minimal Dart SDK version to 2.18.0 and minimal Flutter version to 3.3.0
Updated the CA bundle to enhance security for secure connections.
[Android] Increased the version of the GMS dependency
[iOS] Passcode check is now performed periodically.
Resolved a problem in logging caused by the device’s default system locale
[Android] New Talsec SDK artifact hosting - better stability and availibility.
[iOS] Added Privacy Manifest.
[iOS] Added codesigning for the SDK, it is signed by:
Team ID: ASQC376HCN,
Team Name: AHEAD iTec, s.r.o..
Updated CURL to 8.5.0 and OpenSSL to 1.1.1w.
[Android] Improved appIntegrity check and its logging.
[iOS] Improved obfuscation of Swift and C strings.
[Android] Fixed a native crash bug during one of the native root checks (detected after NDK upgrade).
Improved reaction obfuscation.
[iOS] Improved obfuscation of the iOS SDK.
[iOS] Raised supported Xcode version to 14.3.1 .
[Android] Fixed ProviderException.
Fixed typo in namespace which caused incompatibility with AGP 8.0 .
App icons for detected malware are not fetched automatically anymore, which reduces computation required to retrieve malware data. From now on, app icons have to be retrieved using the getAppIcon method.
Parsing of malware data is now async.
[Android] Malware data is now parsed on background thread to improve responsiveness.
[Android] adbEnabled callback, allowing you to detect USB debugging option enabled in the developer settings on the device.
Added configuration fields for malware detection.
[Android] Malware detection as a new callback for enhanced app security.
[Android] Refactoring Magisk checks in the root detection.
Maintenance
[iOS] Updated SDK code signing; it will now be signed with:
Team ID: PBDDS45LQS
Team Name: Lynx SFT s.r.o.
[iOS] Renewed the signing certificate.
[Android] Reported crashes caused by the UnsupportedOperationException were resolved.
[Android] False positives for hook detection.
[Android] Added the auditing of the internal execution for the future check optimization and overall security improvements.
Improved error messages when validation of the freeRASP configuration fails.
[Android] Changed the way TalsecConfig is created, we introduced a Builder pattern to make the process more streamlined and readable.
[Android] Refactored fetching the list of installed applications for root and hook detection.
Fixed incorrect path to types in package.json.
[Android] Fixed native crashes (SEGFAULT errors) in ifpip method.
Updated proguard rules to resolve build issues in RN 0.75.x.
Added a new threat systemVPN for VPN detection.
[Android] Added a new threat devMode for Developer mode detection.
Updated the CA bundle to enhance security for secure connections.
[Android] Updated the GMS dependency to a newer version for improved performance and compatibility.
[iOS] Enhanced and accelerated the data collection logic.
[iOS] Passcode check is now performed periodically.
Resolved a problem with displaying the Arabic alphabet in logs caused by the device’s default system locale.
[Android] Fixed proguard warning in specific versions of RN.
Updated expo config plugin to fix release build issue in RN 0.73.
[Android] Updated freeRASP SDK artifact hosting ensuring better stability and availibility.
[Android] Fixed compatibility issues with RN < 0.63.
Added support for apps built with Expo SDK.
[iOS] Added Privacy Manifest.
[iOS] Added codesigning for the SDK, it is signed by:
Team ID: ASQC376HCN,
Team Name: AHEAD iTec, s.r.o..
Updated CURL to 8.5.0 and OpenSSL to 1.1.1w.
[Android] Shortened duration of threat evaluation.
[Android] Improved appIntegrity check and its logging.
[iOS] Improved obfuscation of Swift and C strings.
[Android] Fixed a native crash bug during one of the native root checks (detected after NDK upgrade).
App icons for detected malware are not fetched automatically anymore, which reduces computation required to retrieve malware data. From now on, app icons have to be retrieved using the getAppIcon method.
Parsing of malware data is now async.
[Android] Malware data is now parsed on background thread to improve responsiveness.
[Android] adbEnabled callback, allowing you to detect USB debugging option enabled in the developer settings on the device.
Added configuration fields for malware detection.
[Android] Malware detection as a new callback for enhanced app security.
[Android] Refactoring Magisk checks in the root detection.
Maintenance
BREAKING CHANGE: New dependency is required to run freeRASP; add following plugin to android/build.gradle:
[iOS] Updated SDK code signing; it will now be signed with:
Team ID: PBDDS45LQS
Team Name: Lynx SFT s.r.o.
[Android] Resolved IllegalArgumentException caused by unregistering not registered receiver in TalsecMonitoringReceiver
[iOS] Renewed the signing certificate.
[Android] Reported crashes caused by the UnsupportedOperationException were resolved.
[Android] False positives for hook detection.
[Android] Added the auditing of the internal execution for the future check optimization and overall security improvements.
Improved error messages when validation of the freeRASP configuration fails.
[Android] Changed the way TalsecConfig is created, we introduced a Builder pattern to make the process more streamlined and readable.
[Android] Refactored fetching the list of installed applications for root and hook detection.
[iOS] Enhanced and accelerated the data collection logic.
[Android] Fixed native crashes (SEGFAULT errors) in ifpip method.
Added a new threat systemVPN for VPN detection.
[Android] Added a new threat devMode for Developer mode detection.
Updated the CA bundle to enhance security for secure connections.
[Android] Updated the GMS dependency to a newer version for improved performance and compatibility.
[iOS] Passcode check is now performed periodically.
Resolved a problem with displaying the Arabic alphabet in logs caused by the device’s default system locale.
[Android] Removed the talsec namespace that caused change of namespaces for whole app.
[iOS] Fixed issue causing app crash with lower versions of cordova-ios plugin.
[Android] Updated freeRASP SDK artifact hosting ensuring better stability and availibility.
App icons for detected malware are not fetched automatically anymore, which reduces computation required to retrieve malware data. From now on, app icons have to be retrieved using the getAppIcon method.
Parsing of malware data is now async.
[Android] Malware data is now parsed on background thread to improve responsiveness.
[Android] adbEnabled callback, allowing you to detect USB debugging option enabled in the developer settings on the device.
Added configuration fields for malware detection.
[Android] Malware detection as a new callback for enhanced app security.
[Android] Refactoring Magisk checks in the root detection.
Maintenance
[iOS] Updated SDK code signing; it will now be signed with:
Team ID: PBDDS45LQS
Team Name: Lynx SFT s.r.o.
Bug Fix
[iOS] Renewed the signing certificate.
[Android] Reported crashes caused by the UnsupportedOperationException were resolved.
[Android] False positives for hook detection.
[Android] Added the auditing of the internal execution for the future check optimization and overall security improvements.
Improved error messages when validation of the freeRASP configuration fails.
[Android] Changed the way TalsecConfig is created, we introduced a Builder pattern to make the process more streamlined and readable.
[Android] Refactored fetching the list of installed applications for root and hook detection.
[iOS] Enhanced and accelerated the data collection logic.
[Android] Fixed native crashes (SEGFAULT errors) in ifpip method.
Added a new threat systemVPN for VPN detection.
[Android] Added a new threat devMode for Developer mode detection.
Updated the CA bundle to enhance security for secure connections.
[Android] Updated the GMS dependency to a newer version for improved performance and compatibility.
[iOS] Passcode check is now performed periodically.
Resolved a problem with displaying the Arabic alphabet in logs caused by the device’s default system locale.
[Android] Updated freeRASP SDK artifact hosting ensuring better stability and availibility.
[iOS] Added Privacy Manifest.
[iOS] Added codesigning for the SDK, it is signed by:
Team ID: ASQC376HCN,
Team Name: AHEAD iTec, s.r.o..
Updated CURL to 8.5.0 and OpenSSL to 1.1.1w.
[Android] Shortened duration of threat evaluation.
[Android] Improved appIntegrity check and its logging.
[iOS] Improved obfuscation of Swift and C strings.
[Android] Fixed a native crash bug during one of the native root checks (detected after NDK upgrade).
[Android] Fixed bug that prevented firing callbacks in specific situations.
Package names of the alternative stores. If you publish on the Google Play Store and Huawei AppGallery, as these are already included internally. (You can assign just emptyArray()). For more information, visit the wiki page.
Package names of the alternative stores. If you publish on the Google Play Store and Huawei AppGallery, as these are already included internally. (You can assign just emptyArray()). For more information, visit the wiki page.
More about Apple App privacy .
It is an anonymous device identifier for the App vendor as per:
More about Google's best practices for prominent disclosure and consent .
Haven't received your security report? You may have surpassed our limit.
For more information, click . The detailed whitepaper is available .
: Strings obfuscation and encryption, aka vaulting within RASP SDK (good for hiding API keys, endpoints, URLs).
Business subscription includes SDK, which helps avoid the need to republish the app in case of certificate expiration or root certificate updates.
For any questions, please refer to our or schedule a call with us by choosing a time slot on .
For additional comparison details and information on planned features, please see the .
Reported ANR issues present on some devices were resolved ().
Reported crashes caused by ConcurrentModificationException and NullPointerException were resolved ().
Updated CURL to 8.8.0 and OpenSSL to 3.0.14 ().
Fixed collision for command line tools (like ping) invoked without absolute path ().
Fixed issue with ProviderException ().
Curious about more in-depth changes for Android? Head over to our for the complete history of updates!
Added jailbreak detection.
jailbreak detection.
Updated OpenSSL to version 3.0.14 and CURL to version 8.8.0. ()
Fixed memory leak ().
Curious about more in-depth changes for iOS? Head over to our for the complete history of updates!
[iOS] Enhanced security with Detection to identify compromised devices.
[Android] Reported ANR issues present on some devices were resolved ().
[Android] Reported crashes caused by ConcurrentModificationException and NullPointerException were resolved ().
[iOS] jailbreak detection.
Migration to .
Updated CURL to 8.8.0 and OpenSSL to 3.0.14 ().
[Android] Fixed collision for command line tools (like ping) invoked without absolute path ().
[Android] Fixed issue with disappearing threats when the app is quickly put into the background and then back to the foreground (resolves ).
Curious about more in-depth changes for Flutter? Head over to our for the complete history of updates!
[iOS] Enhanced security with Detection to identify compromised devices.
[Android] Reported ANR issues present on some devices were resolved ().
[Android] Reported crashes caused by ConcurrentModificationException and NullPointerException were resolved ().
[iOS] jailbreak detection.
Updated CURL to 8.8.0 and OpenSSL to 3.0.14 ().
[Android] Fixed collision for command line tools (like ping) invoked without absolute path ().
[iOS] Fixed memory leak ().
Curious about more in-depth changes for React Native? Head over to our for the complete history of updates!
[iOS] Enhanced security with Detection to identify compromised devices.
[Android] Reported ANR issues present on some devices were resolved ().
[Android] Reported crashes caused by ConcurrentModificationException and NullPointerException were resolved ().
[iOS] jailbreak detection.
Updated CURL to 8.8.0 and OpenSSL to 3.0.14 ().
[Android] Fixed collision for command line tools (like ping) invoked without absolute path ().
Fixed BAD_ACCESS error occurring in specific versions of cordova-ios plugin ().
Curious about more in-depth changes for Cordova? Head over to our for the complete history of updates!
[iOS] Enhanced security with Detection to identify compromised devices.
Resolved compatibilty issues with JDK 21
[Android] Reported ANR issues present on some devices were resolved ().
[Android] Reported crashes caused by ConcurrentModificationException and NullPointerException were resolved ().
[iOS] jailbreak detection.
Updated CURL to 8.8.0 and OpenSSL to 3.0.14 ().
[Android] Fixed collision for command line tools (like ping) invoked without absolute path ().
[iOS] Fixed memory leak ()
[iOS] Fixed bug that caused app being killed in specific situations ().
Curious about more in-depth changes for Capacitor? Head over to our for the complete history of updates!
androidConfig
AndroidConfig?
Configuration for Android apps
any AndroidConfig instance
iosConfig
IOSConfig?
Configuration for iOS apps
any IOSConfig instance
watcherMail
string
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
'john@example.com'
isProd
boolean?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
packageName
string
Package name of the app.
'com.talsec.freerasp.demoapp'
certificateHashes
string[]
Certificate hashes of your app.
['mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=']
supportedAlternativeStores
string[]
Package names of the alternative stores. If you publish on the Google Play Store and Huawei AppGallery, as these are already included internally. (You can assign just emptyArray()). For more information, visit the Detecting Unofficial Installation wiki page.
[ 'com.sec.android.app.samsungapps']
appBundleId
string
Apple Bundle ID for the app
'com.talsec.freerasp.demoapp'
appTeamId
string
Apple Team ID used in the app
'M8AK35...'
privilegedAccess
() => any
debug
() => any
simulator
() => any
appIntegrity
() => any
unofficialStore
() => any
hooks
() => any
deviceBinding
() => any
deviceID
() => any
passcode
() => any
secureHardwareNotAvailable
() => any
obfuscationIssues
() => any
devMode
() => any
adbEnabled
() => any
systemVPN
() => any
This project is provided as freemium software, i.e. there is a fair usage policy that imposes some limitations on the free usage. The SDK software consists of open-source and binary parts, which is the property of Talsec. The open-source part is licensed under the MIT License - see the LICENSE file on GitHub for details.
Welcome to the freeRASP wiki page!
This page provides additional information about the product. The main goal is to present clear and easily accessible content that will help you better understand freeRASP. We hope you find it helpful and informative.
How to Get the Signing Certificate Hash.
Details on Callback Delay, Telemetry Impact, and Threat Scanning.
Information about Threat detection.
Overview of Code Obfuscation.
We encourage you to explore the different sections of this wiki to gain a more comprehensive understanding of the freeRASP product and its features. If you have any questions or need further assistance, please feel free to reach out to our support team at support@talsec.atlassian.net.
freeRASP performs several security checks to detect potential threats during runtime, each targeting specific attack vectors. Developers and business owners can determine the appropriate response to these incidents, whether by terminating the application, alerting the user, logging the incident details, or choosing to ignore it.
For a detailed explanation of each security check and guidance on selecting an appropriate response, please refer to the individual threat descriptions in the subsections. Remember, the ideal response will depend on your application's specific security needs and use cases.
Before installation or updating on a device, Android requires that all APKs be digitally signed with a certificate. The signing certificate hash is a unique identifier of the certificate used to sign the application, serving to verify the application's origin.
Developers can sign the application using one of the following methods:
Manual App Signing.
Play App Signing.
In manual app signing, the developer owns a keystore used to sign the application. You can use tools like keytool or apksigner to retrieve certificate details, including the SHA-256 digest.
Using keytool:
Using apksigner:
With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your applications. You can find the SHA-256 fingerprint of the certificate in the Google Play Console:
Go to View App.
Navigate to Setup > App Signing.
Under App Signing Key Certificate, locate the SHA-256 fingerprint.
An example SHA-256 fingerprint looks like this:
To convert hex string to Base64 form, use an online like Base64 Encode. After conversion, you'll receive a string like this:
The resulting string is used in the Talsec configuration as a signing certificate hash.
Check the integration section for instructions on providing the signing hash for Talsec configuration.
We would like to reflect on a few performance and telemetry-related topics that emerge occasionally.
Common Questions:
Why does it take too long to finish all the checks?
How to know when all checks are finished?
When are telemetry data transmitted?
Incidents that are triggered during the development (integration & testing) won't happen to a majority of users in the production.
Callbacks can be invoked slower if the freeRASP backend endpoint is overloaded. Data collection takes precedence. However, do not worry; the application will function as intended, and only callbacks might be a little delayed.
freeRASP works smoothly in production, but it may be tricky to understand all the freeRASP concepts during development. During the integration and testing of the freeRASP, you may have observed that it took longer than expected to get results for all threats (callbacks). You want to get results quickly, respond to threats effectively, and ensure there is no noticeable jankiness in the UI interactions.
freeRASP has to do a lot of work once started. The cold boot is a really intensive moment when all detections must be performed, telemetry data transmitted, and callbacks to your app must be delivered (in this order).
Talsec team efforts and community contributions allow freeRASP to improve the performance and security trade-offs continually by tuning the asynchronous processes, network activity, and internal business logic. Like that time when the internal detector ordering was reworked to significantly speed evaluation based on this reported issue and the telemetry insights about the speed of detectors 👌.
Remember the phrase "It is darkest before the dawn"? The integration and testing of freeRASP are inherently accompanied by unintentional threat callbacks invoked by incorrect provisioning of the app's signature (appIntegrity callback), using a simulator for development, an unofficial store (because you haven't published it yet), and others. We've all been there.
It may also seem disconcerting to see that it takes too long until the last expected threat callback invokes. Yet, keep in mind that in production, these incidents won't happen for the genuine unaltered apps run in normal conditions. The performance impact will be negligible. On the contrary, the comfort of a potential attacker and performance degradation in adverse conditions is acceptable.
If you're getting the appIntegrity incident in the production app, send us your packageName/bundleId and watcherMail at support@talsec.atlassian.net, and we will look into it.
freeRASP collects security diagnostics data (read more in User Data Policies) in accordance with the Fair Usage Policy. Every detected threat is immediately synchronously logged to a common freeRASP backend. Latencies inflicted by the overload of the endpoint are unfortunate, but we continuously improve and scale as much as possible.
The application can be analysed or modified even though its source code has not been changed, applying a technique known as hooking. This technique can be used to intercept system or application calls and then modify them. An attacker can exploit this by inserting new (often malicious) code or by altering existing one to obtain personal client data. The most well-known hooking frameworks are Frida, Xposed, or Cydia Substrate.
Below are code snippets demonstrating hook detection across various platforms:
Recommended action: Notify users that their device or app is insecure and log the event on your BE. In some cases, it is recommended to even kill the application.
Rooting/jailbreaking is a technique of acquiring privileged control over the operating system of an Android/iOS device. While most users root their devices to overcome the limitations put on the devices by the manufacturers, it also enables those with malicious intent to abuse privileged access and steal sensitive information. Many different attack vectors require privileged access to be performed. Tools such as Magisk, Shad0w or Dopamine can hide privileged access and are often used by attackers.
freeRASP uses various checks to detect whether the device is rooted or jailbroken. It detects not only rooted/jailbroken devices but also looks for the presence of their hiders (e.g., Magisk, Shad0w, Dopamine).
From our data, around 0.5% - 1% of devices have traces of rooting and jailbreaking. Keep that in mind when choosing the appropriate reaction type.
Below are code snippets demonstrating root and jailbreak detection across various platforms:
Recommended action: Notify users that their device is insecure and log the event on your BE. Some of the applications (mostly banking) are often even killed upon the detection of this threat.
Every application can be easily modified and then resigned by an attacker. This process is known as application repackaging. There may be many reasons for application repackaging, whether it's adding new code, removing app protections, or bypassing app licensing. A modified/tampered application is often distributed using third-party stores or other side channels.
Talsec uses various checks to detect whether the application was tampered (e.g., changed package name, signing hash).
Make sure that you have integrated Talsec correctly (e.g., signing certificate hash). Otherwise, this check might be triggered very often.
Below are code snippets demonstrating app tampering detection across various platforms:
Recommended action: Kill the application.
While most developers use debuggers to trace the flow of their program during its execution same tool can be attached to an application in an attempt to reverse engineer, check memory values, and steal confidential information. This method looks for specific flags to determine whether the debugger is active and offers the option to disable it.
Below are code snippets demonstrating debugger detection across various platforms:
Recommended action: Kill the application.
The Secure Enclave and the Android Keystore system make it very difficult to decrypt sensitive data without physical access to the device. In that order, these keys need to be stored securely. freeRASP checks if the keys reside inside secure hardware.
Below are code snippets demonstrating missing hardware detection across various platforms:
Recommended action: Ignore the callback or log the event to your BE.
Runtime App Self Protection (RASP, app shielding)
Advanced root/jailbreak protections (including Magisk)
basic
advanced
Runtime reverse engineering controls
Debugger
Emulator / Simulator
Hooking and reversing frameworks (e.g. Frida, Magisk, XPosed, Cydia Substrate and more)
basic
advanced
Runtime integrity controls
Tampering protection
Repackaging / Cloning protection
Device binding protection
Unofficial store detection
basic
advanced
Device OS security status check
HW security module control
Screen lock control
Google Play Services enabled/disabled
Last security patch update
System VPN control
Developer mode control
ADB enabled detection
yes
yes
Screen Capture
Screen capture protection
Screenshot detection
Screen recording cetection
yes
yes
UI protection
Overlay protection
Accessibility services misuse protection
no
yes
Penetration Test Ready
can be bypassed by professional
designed to sustain pentesting
Security hardening suite
End-to-end encryption
Strings protection (e.g. API keys)
Dynamic TLS certificate pinning
no
yes
API protection by mobile client integrity check, online risk scoring, online fraud prevention, client App integrity check. The cryptographic proof of app & device integrity.
no
yes
Security events data collection, Auditing and Monitoring tools
Threat events data collection from SDK
yes (collected to Talsec's DB)
yes (collected to Customer's DB)
AppSec regular email reporting service
yes (up to 100k devices)
yes
Access to Data portal for Logging, data analytics and auditing
no
yes
Support and Maintenance
SLA
not committed
yes
Maintenance updates
not committed
yes
Fair Usage Policy - up to 100k Downloads*
Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section on the web).
over 100k devices
no
Threat signals data collection to Talsec database for processing and product improvement
yes
no
Place "Protected by freeRASP" logo in the App Screen(s)
over 100k devices
no
Users can share a copy of the application on unofficial stores or various pirate forums. While some users download these copies to avoid paying for the product, they can include unknown and possibly dangerous modifications. Verifying an official installation consequently protects both the users and the owner. This reaction is also triggered, if you install the application through alternative ways like unofficial store or Xcode build.
Below are code snippets demonstrating detection of unofficial installation across various platforms:
Recommended action: Notify users that the application is installed from an unofficial store. In some cases, it is recommended to even kill the application.
If you want to define which applications can install the application, insert its package name in the supportedAlternativeStores (or supportedStores on Flutter) parameter. If you publish on Google Play, Huawei AppGallery, App Store (iOS), and TestFlight (iOS), you don't need to assign anything, as they are already supported out of the box.
The application can also be installed by "cloning" apps, which users employ to transfer apps between devices. The following list comprises popular examples of such apps. By default, freeRASP categorizes them as installations from an unofficial store .
Finally, it's very common application gets installed through browser, file manager, cloud storage or various messaging apps. By default, freeRASP categorizes them as installations from unofficial store.
Device binding is attaching an application instance to a particular mobile device. This method detects a transfer of an application instance to another device. A new install of the application (e.g. in case of buying a new device and transfer the apps) is not detected.
The deviceID detects, whether the has been changed. It is triggered after reinstallation of the application if there are no other applications from the same vendor installed. The value can also change when installing test builds using Xcode or when installing an app on a device using ad-hoc distribution.
Below are code snippets demonstrating device binding detection across various platforms:
Recommended action: Log the event on your BE and react to it if you need to have an instance attached to a particular mobile device (e.g., activation scenarios); otherwise you can ignore it.
- App Integrity Cryptogram
App Store (iOS)
Included by default, no action needed
TestFlight (iOS)
Included by default, no action needed
Google Play
Included by default, no action needed
Huawei AppGallery
Included by default, no action needed
Firebase App Distribution
dev.firebase.appdistribution
Samsung Galaxy Store
com.sec.android.app.samsungapps
Common on Samsung devices
Vivo App Store
com.vivo.appstore
Common on Vivo devices
HeyTap
com.heytap.market
Common on Realme and Oppo devices
Oppo App Market
com.oppo.market
Common on Oppo devices
GetApps
com.xiaomi.mipicks
Common on Xiaomi, Redmi and POCO devices
Mi Mover (Xiaomi)
com.miui.huanji
Phone Clone (Huawei)
com.hicloud.android.clone
Samsung Smart Switch
com.sec.android.easyMover
Samsung Cloud for Wear OS
com.samsung.android.scloud
OPPO Clone Phone
com.coloros.backuprestore
EasyShare (Vivo)
com.vivo.easyshare
Clone Phone (OnePlus)
com.oneplus.backuprestore
SHAREit (Lenovo)
com.lenovo.anyshare.gps
SHAREit Lite
shareit.lite
ShareMe (Xiaomi)
com.xiaomi.midrop
MIUI Backup (Xiaomi)
com.miui.backup
Phone Clone (Honor)
com.hihonor.android.clone
Running an application inside an emulator/simulator allows an attacker to hook or trace program execution. For applications running inside an emulator, it is easy to inspect the system's state, reset it to a saved image, or monitor how the app operates. Keep in mind that not every emulator/simulator usage means an ongoing potential threat for the application.
Below are code snippets demonstrating emulator detection across various platforms:
Recommended action: Notify users that their device is insecure and log the event on your BE. Some of the applications (mostly banking) are often even killed upon the detection of this threat.
Android developer mode allows deeper system access and debugging capabilities that can bypass app security measures. Developer mode can enable settings that facilitate the installation of uncertified applications and the execution of potentially harmful code, posing significant risks to data integrity and app functionality. FreeRASP detects whether the developer mode is enabled.
Below are code snippets demonstrating developer mode detection across various platforms:
Recommended action: Log the event on your BE
Screenshot detection is a critical security feature that identifies when a screenshot is captured on the device. Screenshots can expose sensitive app data, such as confidential information displayed on the screen, user credentials, or personal content, leading to potential privacy and security risks. By detecting when a screenshot is taken, apps can implement countermeasures like obscuring sensitive content, notifying users, or logging the event for further analysis.
Below are code snippets demonstrating Screenshot detection across various platforms (other platforms will soon come):
Screen recording detection is an advanced security feature that identifies when a device's screen is being recorded. Screen recordings can pose significant security threats by capturing confidential app data, including user interactions, sensitive information displayed on the screen, and proprietary app content. By detecting screen recording, apps can take proactive steps to protect data, such as masking sensitive information or alerting users.
Below are code snippets demonstrating Screen recording detection across various platforms (other platforms will soon come):
Recommended action: Log the event on your BE or hide the sensitive content.
Screen capture protection offers a method to block or unblock screen capture functionality dynamically within your application. This includes screenshots and screen recordings, helping protect sensitive information from unauthorized capture. You can block or unblock the screen capture by changing the flag between (true/false).
Below are code snippets demonstrating Screen capture protection across various platforms (other platforms will soon come):
Application of FLAG_SECURE or calling Talsec.blockScreenCapture(activity, true) disables the callbacks for detection of screenshot or screen recording.
To check whether screen capture is currently blocked in the application, you can call the following method. This allows developers to dynamically assess and adapt their app's behavior based on the screen capture state.
Code snippet for various platforms (other platforms will soon come):
For Android 11 (API 30) and lower, FLAG_SECURE is able to help around 70% of the devices reliably. This is because on certain devices, keyboard taps can be recorded.
Saving any sensitive data on a device without a lock / passcode makes them more prone to theft. With no user authentification device can be accessed and modified with minimal effort. freeRASP checks if the device is secured with any type of lock.
Below are code snippets demonstrating passcode detection across various platforms:
Recommended action: Log the event on your BE or react to it if you need users to have a screen lock set up, otherwise ignore it.
ADB (Android Debug Bridge) Enabled is a power-user feature activated through the "USB Installation" option in the Developer settings. This state can signal potential security risks, such as apps being installed via USB, the device being connected to a man-in-the-middle (MiTM) proxy, or the device running as an emulator. When ADB is enabled, it allows extensive access to the device, including pulling and pushing files, issuing shell commands, working with the activity manager (e.g., starting activities, broadcasting intents, modifying hidden Android settings, attaching a profiler to a process, or making an app debuggable), and managing packages. Additionally, it enables capturing screenshots, recording the screen, and other actions that can compromise app security and user privacy. FreeRASP detects whether the USB debugging is enabled.
Below are code snippets demonstrating ADB enabled detection across various platforms:
Recommended action: Log the event on your BE
Detecting a running VPN service on mobile devices is critical for security-sensitive applications, as it can indicate potential privacy and security risks. VPNs can obscure the user’s actual IP address and route data through servers potentially under external control, which might interfere with geographical restrictions and bypass network security settings intended to protect data integrity and confidentiality. Such anonymising features could be exploited to mask illicit activities, evade compliance controls, or access services from unauthorised regions. FreeRASP checks whether the system VPN is enabled.
Below are code snippets demonstrating system VPN detection across various platforms:
Recommended action: Log the event on your BE
This page is intended to provide quick answers to common questions.
Thank you for reading the freeRASP FAQ. If you didn't find the answer to your question, please do not hesitate to create a GitHub issue on the respective repository (preferably) or email support@talsec.atlassian.net.
The freeRASP contains public API so that the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to use publicly available information to interrupt freeRASP operations or modify your custom reaction implementation in threat callbacks. In order for freeRASP to be as effective as possible, it is highly recommended to apply obfuscation to the final package/application, making the public API more difficult to find and also partially randomized for each application so it cannot be automatically abused by generic hooking scripts.
The majority of Android projects support code shrinking and obfuscation without any additional need for setup. The owner of the project can define the set of rules that are usually automatically used when the application is built in the release mode. For detailed guidance, explore the official documentation through these links: first reference and second reference.
There are two possible values for this flag:
true
Indicates the Release version.
This is the default value when undefined.
false
Indicates the Dev version.
The Dev version of freeRASP is intended for usage during the development phase. It serves the purpose of segregating development and production data, as well as disabling certain checks that are not applicable during the development process. These checks include:
Emulator usage (onSimulator),
Debugging (onDebug),
Signing (onAppIntegrity),
Unofficial store (onUnofficialStore),
Obfuscation issues (onObfuscationIssues),
Developer mode (onDevMode),
ADB Enabled (onADBEnabled).
The freeRASP SDK contains public API, so the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to interrupt freeRASP SDK operations or modify the custom code in threat callbacks. All internal freeRASP classes are already obfuscated, so it is simple to distinguish freeRASP sources from the rest of the application code during the static analysis. In order for freeRASP to be as effective as possible, it is highly recommended to apply obfuscation to the final package/application, making the public API more difficult to find and also to make it partially randomized for each application so it cannot be automatically abused by generic hooking scripts.
Please follow the integration guide of your platform for more information about how to obfuscate the app.
Below are code snippets demonstrating missing obfuscation detection across various platforms:
Recommended action: Use this callback during the development process to ensure that the app is obfuscated.
Talsec is an academic-based and community-driven mobile security company. We deliver in-App Protection and a User Safety suite for Fintechs. We aim to bridge the gaps between the user's perception of app safety and the strong security requirements of the financial industry.
Talsec offers a wide range of security solutions, such as App and API protection SDK, monitoring services, and the User Safety suite. You can check out the offered products on our web.
Give us a : GitHub freeRASP
Read articles about security issues and their prevention: Medium
At Talsec, our commitment goes beyond just providing strong security solutions. We believe in continuously evolving our offerings by actively listening to community feedback and responding to the unique needs of developers. Our goal is not only to protect your applications but also to ensure that your insights and experiences shape our products.
We value your input because we understand that secure and effective development tooling is built through collaboration. Your voice, as a developer, is crucial to making our solutions more robust, dev-friendly, and aligned with real-world challenges.
We strive to deliver a flawless experience with our software. However, despite our best efforts, occasional bugs or issues may still arise. If you encounter any problems or notice anything that seems out of place, we encourage you to let us know.
If you have ideas that could enhance freeRASP or improve your developer experience, we want to hear from you. We value suggestions from the community, as they reflect real needs and practical experiences.
To share your idea, please open an enhancement issue on our GitHub repository. Your input helps us prioritize features and improvements that matter most to our users.
We recognize that some ideas are already on our radar and are actively under consideration. To keep track of proposed enhancements and their progress, we use GitHub Projects.
Before submitting a new idea, we recommend reviewing our GitHub Projects board. This will help you see if your suggestion is already being worked on or if similar ideas have been proposed.
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this .
.svg?alt=media&token=377030ba-8785-4169-85f7-c0233724cf84)
.svg?alt=media&token=d7c8c4c9-d0a9-4fad-8d39-cf7e4208a360)
.svg?alt=media&token=a92a054a-c1cb-4861-b19c-4bbac8e752f2)
.svg?alt=media&token=a01ecc00-51da-4eea-be79-00c054d50d97)
.svg?alt=media&token=990a2e9a-d9ca-4f49-ba75-ceeafd97bb60)
.svg?alt=media&token=3b653caa-88c7-403f-95e5-e3910bc1671e)
.svg?alt=media&token=f014fd8f-ffd9-4b76-b078-1a7d72034212)
.svg?alt=media&token=a27d78b3-81ad-4360-8df7-8412105a045e)
.svg?alt=media&token=b8992828-67a4-4501-a453-476e6f3a141f)
.svg?alt=media&token=296c4218-c9c3-4767-97dd-9f8c8a3bd00a)
.svg?alt=media&token=a3b2b8f9-fd66-4619-a49d-b8871aeb8b59)
.svg?alt=media&token=850d1d01-bb5b-4301-970d-8e53ff16f5a9)
