See the most frequent issues occurring during integration.
The most frequent issues occurring during integration:
For more general issues or questions, visit FAQ page. You can also check out the Issues section of our GitHub repository, where you can report issues and view existing reports.
The freeRASP has the following prerequisites that must be met before starting.
freeRASP requires a minimum SDK level of 23. React Native projects, by default, support even lower levels of minimum SDK. This creates an inconsistency we must solve by updating the minimum SDK level of the application:
From the root of your project, go to android > build.gradle.
In buildscript, update minSdkVersion to at least 23 (Android 6.0) or higher.
freeRASP React Native plugin uses Pods. Navigate to the ios folder and run:
Install the plugin using your preferred package manager
Navigate to the ios folder and run:
To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Use the following template to configure the plugin. Detailed descriptions of the configuration options are provided on the API page.
In the the entry point to your app, import freeRASP and add the code below.
For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through this manual to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.
FreeRASP provides a React Custom Hook that handles all required logic as registration of freeRASP, mounting and unmounting of listeners for you.
freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the Threat detection in the wiki to learn more details about the performed checks and their importance for app security.
Threat reactions should be specified inside a JavaScript object.
Start freeRASP to detect threats by calling the useFreeRasp hook, below the created config and the callback handler:
Please note that useFreeRasp Hook should be called outside useEffect.
When freeRASP initializes correctly, you should see freeRASP initialized message in the logs. Otherwise, you'll see a warning with a description of what went wrong.
You can override this default behaviour by extending the actions object with started key (to change action after successful initialization), and initializationError key (to set up action after unsuccessful initialization)
For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.
Import methods from the freeRASP plugin:
Override constructor() method in the entry point to your app set listeners to threats and start freeRASP:
In this code snippet, actions is object with your reactions to threats and config is a freeRASP configuration object from previous parts of the readme.
Override componentWillUnmount() method where you clean up the listeners:
The easiest way to obfuscate your app is via code minification, a technique that reduces the size of the compiled code by removing unnecessary characters, whitespace, and renaming variables and functions to shorter names. It can be configured for Android devices in android/app/build.gradle like:
Please note that some other modules in your app may rely on reflection, therefore it may be necessary to add corresponding keep rules into proguard-rules.pro file.
If there is a problem with the obfuscation, freeRASP will notify you about it via obfuscationIssues callback.
Read more about why this is important in the wiki.
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.
It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.
Visit the freeMalwareDetection repository to learn more about this feature! For the integration, refer to the integration guide for the React Native platform.
freeRASP for React Native is a bare React Native plugin. When installing freeRASP into a project that uses Expo SDK, there may be extra configuration needed.
To integrate freeRASP into the Expo projects, follow the instructions for React Native. After that, continue on this page.
We provide a plugin config that sets up the dependencies of freeRASP without the need to eject the Expo project. It is recommended to use the plugin config. However, manual setup is also possible.
Add the plugin config to your app.json and specify the minSdkVersion (use at least 23). Additionally, if you are using Expo 50, increase the version of R8 above 8.2 with the R8Version property (to support sealed classes on Android).
Increase minSdkVersion
This can be done in two ways:
update the minSdkVersion property directly in android/build.gradle, or
use expo-build-properties plugin, which updates the property in the prebuild phase. Read more in the Expo docs.
Add maven dependency
open android/build.gradle (if you don't see the android folder, run npx expo prebuild -p android in terminal to create it)
add the following dependency under allprojects > repositories:
if not already configured, add also:
Description of the freeRASP API
TalsecConfigSpecifies configuration for your app. See the table below for detailed description of the attributes.
| field | type | description | sample value |
|---|---|---|---|
AndroidConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
| field | type | description | sample value |
|---|---|---|---|
IOSConfigSpecifies configuration for instances of the app running on Android devices. See the table below for detailed description of the attributes.
| field | type | description | sample value |
|---|---|---|---|
NativeEventEmitterActionsSpecifies a set of callbacks that are used to notify the application when certain security threat is detected.
const useFreeRasp = (config: TalsecConfig, actions: NativeEventEmitterActions)React Custom Hook responsible for starting freeRASP and setting up listeners
const setThreatListeners = async (config: NativeEventEmitterActions): voidSets up listeners for detected threats
const talsecStart = async (options: TalsecConfig): Promise<string>Method is used to start freeRASP's audit. Returns 'freeRASP started'string when successful.
const removeThreatListeners = (): voidUnregisters threat listeners. Should be called only when the app is being terminated.
| threat | type | Android | iOS |
|---|---|---|---|
androidConfig
AndroidConfig?
Configuration for Android apps
any AndroidConfig instance
iosConfig
IOSConfig?
Configuration for iOS apps
any IOSConfig instance
watcherMail
string
The value is automatically used as the target address for your security reports. Mail has a strict form 'name@domain.com'.
'john@example.com'
isProd
boolean?
Defaults to true when undefined. If you want to use the Dev version to make the development process easier, set the parameter to false. Make sure that you have the Release version in the production (i.e. isProd set to true)!. To simplify switching between debug and release version of freeRASP based on the build type, you can use BuildConfig.BUILD_TYPE.contains("Release", true) as a value for isProd.
true
packageName
string
Package name of the app.
'com.talsec.freerasp.demoapp'
certificateHashes
string[]
Certificate hashes of your app.
['mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k=']
supportedAlternativeStores
string[]
Package names of the alternative stores. If you publish on the Google Play Store and Huawei AppGallery, as these are already included internally. (You can assign just emptyArray()). For more information, visit the Detecting Unofficial Installation wiki page.
[ 'com.sec.android.app.samsungapps']
appBundleId
string
Apple Bundle ID for the app
'com.talsec.freerasp.demoapp'
appTeamId
string
Apple Team ID used in the app
'M8AK35...'
privilegedAccess
() => any
debug
() => any
simulator
() => any
appIntegrity
() => any
unofficialStore
() => any
hooks
() => any
deviceBinding
() => any
deviceID
() => any
passcode
() => any
secureHardwareNotAvailable
() => any
obfuscationIssues
() => any
devMode
() => any
adbEnabled
() => any
systemVPN
() => any