If you want to learn about the differences between freeRASP and BusinessRASP+, you’re in the right place. On this page, we’ll explore the key features and benefits of each option, compare their functionalities, and highlight how the BusinessRASP+ subscription can offer enhanced capabilities and support compared to the freeRASP plan. By the end, you’ll have a clear understanding of which solution best meets your needs and how to make the most of it.
What are the advantages of the commercial Talsec SDK subscription plans compared to freeRASP?
freeRASP is a freemium product, which means there are Fair Usage Policy conditions (over 100K downloads) for using it. For using it, please refer to the Integration Manual.
BusinessRASP+ and AppiCrypt are premium products with a subscription model (which includes SW licenses, SLA, maintenance updates, and more) for SDKs. It is not SaaS, which means we don't introduce any dependency on third-party web services for your mobile solution.
Talsec doesn't collect any customer data within RASP+, while freeRASP SDK sends the diagnostical information to Talsec servers to provide clients with regular security reports and improve the product. You should consider adding Talsec to the list of Data Processors in case of freeRASP usage.
Top 10 Advantages of Talsec RASP+ Business Subscription Over freeRASP
Here are the top 10 benefits of choosing a Talsec RASP+ Business subscription, which includes an SDK license, SLA, and additional services, compared to the freeRASP option.
Bypass Protection
The RASP+ binary SDK is built individually with bindings to app-specific data (such as signing certificate hash, package name, team ID, etc.), making it unique to each application. In contrast, the freeRASP SDK is a generic binary used by all users, which can be more easily recognized by attackers.
As a result, an app protected by freeRASP is less likely to pass a professional penetration test, as an experienced pentester would be able to bypass it more easily.
Device data collection by Talsec
Premium customers benefit from full control over telemetry and logging endpoints. I.e., Customers can use in-house or managed services like Elastic Cloud to collect mobile threat logs and set up Monitoring events for severe threats.
freeRASP SDK sends data to a Talsec-managed cloud DB (AWS in the USA) for product improvements, anomaly detection, freeRASP client reporting, and aggregated data analytics.
Better Resilience of API Callbacks
The RASP+ binary SDK is built individually with bindings to app-specific data (such as signing certificate hash, package name, team ID, etc.), making it unique to each application. In contrast, the freeRASP SDK is a generic binary used by all users, which can be more easily recognized by attackers. As a result, an app protected by freeRASP is less likely to pass a professional penetration test, as an experienced pentester could bypass it more easily.
AppiCrypt
AppiCrypt is our innovation and extremely powerful RASP hardening from the back-end that implements the concept of zero-trust for the apps world (app/device integrity control at the API gateway level). It is somewhat similar to a JWT verification for user authentication but AppiCrypt verifies that the request is generated by the legit and non-compromised app.
For more information, click here. The detailed whitepaper is available here.
Additional controls
In BusinessRASP+, there are additional controls compared to freeRASP, including:
UI Overlay attack protection.
Accessibility service misuse protection.
Google Play Services or Huawei Services control.
Strings obfuscation and encryption, aka vaulting within RASP SDK (good for hiding API keys, endpoints, URLs).
VPN detection/prevention.
Dynamic TLS pinning
BusinessRASP+ includes Dynamic TLS Pinning SDK, which helps avoid the need to republish the app in case of certificate expiration or root certificate updates.
Self-care tools
Self-Care Tools for Remote SDK Configuration enable users to handle SDK configuration and management on their own, remotely. This functionality allows for seamless adjustments and updates, giving users greater control over their SDK settings.
New upcoming features
Stay tuned for the addition of new features, such as Remote Screen Control, Screen-cast detection, and Screen Mirroring detection.
In the mid-term plan, we will be introducing several new features to further enhance security:
App Enrollment for Mutual TLS SDK.
Voluntary Data Encryption/Decryption: Protect locally stored user data and app assets, such as ML models, with optional encryption and decryption.
Simple Application Layer E2E Encryption: Implement end-to-end encryption at the application layer to protect against Man-in-the-Middle (MiTM) attacks and unauthorized access by malicious administrators. This feature combats traffic data sniffing on the server side, especially behind a TLS API gateway or in server logs.
Advanced E2E Encryption and App Enrollment SDK + Google AppCheck: Strengthen your app's security with advanced end-to-end encryption, enhanced app enrollment SDK, and Google AppCheck, which binds secrets to the client app instance.
Automated App pentesting
Typically, our subscription package includes a free, one-time automated app scanning or pentesting. This service is useful for generic validation of OWASP compliance and preparing your app for external pentesting.
Service Level Agreement
With the BusinessRASP+ subscription, you receive an SLA that covers support and maintenance updates.
For any questions, please refer to our discussion or schedule a call with us by choosing a time slot on Calendly.