Version 6.6.1 (August 2024)
Introduction
Welcome to Mobile Application Shielding 6.6.1!
The OneSpan Customer Portal only accepts connections via TLS 1.2 or later. Earlier versions are no longer supported because all versions of the TLS protocol prior to 1.2 have been deprecated.
This is a release of Mobile Application Shielding, which contains enhancements and other product updates. For more information about new features and fixed defects, refer to the respective chapters in this document.
On the OneSpan Customer Portal, the last 12 versions of Mobile Application Shielding are available for download. To maintain protection against the latest mobile threats, ensure to update Mobile Application Shielding to the latest version!
Supported platform versions
- App Shielding version 6.6.1 was successfully tested with Android 15.
- Android 5.0 (API level 21) – Android 15.
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.
The plugin and documentation can be downloaded from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
New API: SecureEditText Field
App Shielding now offers a secure text input API to protect sensitive text input against key loggers. Every time the user should provide sensitive text input, App Shielding will determine if the keyboard is trusted or not.
For more information and details how to integrate this new API, see SecureEditText Field API.
Fixes and other changes
False positive root detection
Description: App Shielding incorrectly detected a BlackBerry Motion device to be rooted, although in fact it was not rooted.
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Bypassing App Shielding protection in Cordova-based applications
Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:
- It is not longer protected with App Shielding.
- It is signed with a different developer certificate.
Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.
OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.
NFC payment failure in shielded apps with Thales Gemalto SDK
Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.
Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.
It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
SecureEditText in-app keyboard
The SecureEditText in-app keyboard has focus problems on dialog windows on tablet devices.
Version 6.6.0 (July 2024)
Supported platform versions
- App Shielding version 6.6.0 was successfully tested with Android 15.
- Android 5.0 (API level 21) – Android 15.
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.
The plugin and documentation can be downloaded from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
Support for Android 15 (and 16KB page sizes)
App Shielding now supports Android 15. If you want your protected app to run on Android 15, you must upgrade to this version of App Shielding. Beginning with version 15, Android supports devices that are configured to use a page size of 16 KB (i.e., 16 KB devices). App Shielding has been updated to work on these 16 KB devices. However, if your app uses any native libraries, you must ensure that these libraries are ready for 16 KB page sizes.
For more details, see https://developer.android.com/guide/practices/page-sizes.
Security improvements
Improved detection for Frida, FjordPhantom, and native code hooking has been implemented in App Shielding.
Improved repackaging detection
Improved repackaging detection has been implemented in App Shielding. (SHAND-4182).
Improved emulated input detection
Emulated input detection was improved to avoid false positives. For more information, see the entry for Check Emulated Input in the Configuration Options section of the Mobile Application Shielding Integration Guide. (SHAND-4298, SHAND-4256)
Improved emulator detection
Detection for the Redfinger Cloud Emulator has been implemented. (SHAND-4301)
Fixes and other changes
SHAND-4233: Forward Intent Data with ShieldSDK-activity-guard on Android 11 and newer
Description: When an application was compiled with the ShieldSDK-activity-guard package, and the application was launched with an Intent that contained additional Intent Data, the Intent Data might not have been forwarded to the application.
Status: This issue has now been fixed for Android 11 and later, though it might still cause issues on Android 10 and earlier.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Bypassing App Shielding protection in Cordova-based applications
Description: Because of the nature of pure Javascript frameworks such as Cordova, the effectiveness of the push and pull bindings of App Shielding is affected. As a result, it might be possible to extract all Javascript files from a shielded application and build a new Cordova-based application with the extracted Javascript files. That new application will behave identical to the original one but has two major differences:
- It is not longer protected with App Shielding.
- It is signed with a different developer certificate.
Because this new application is signed with a different developer certificate, it is recognized by the stores or every device as a completely different and new application in comparison to the original shielded application. It cannot be avoided that a new application like this is built that looks and behaves similar to the original application.
OneSpan risk assessment: Threat actors will need to make heavy use of targeted phishing attacks to convince users of the original application to install the rogue version. For attackers, however, it is much easier to use existing malware frameworks that mimic hundreds of login screens in one single piece of malware. In addition, the existence of any rogue versions of the application does not affect the security features of the original shielded application. Everyone who is using the genuine, shielded application is protected with all the features of App Shielding, including all security measures of the original application. Therefore, we consider this issue to be of low risk.
NFC payment failure in shielded apps with Thales Gemalto SDK
Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.
Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.
It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
SecureEditText in-app keyboard
The SecureEditText in-app keyboard has focus problems on dialog windows on tablet devices.
Version 6.5.3 (June 2024)
Supported platform versions
- App Shielding version 6.5.3 was successfully tested with Android 14.
- Android 5.0 (API level 21) – Android 14 (API level 34).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.
The plugin and documentation can be downloaded from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 14.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
OneSpan Mobile Portal
This section lists new features and updates that are available on the OneSpan Mobile Portal only.
New App Shielding runtime configuration: Exit on Emulator URL
If the configuration option exitOnEmulator is enabled, it is now possible to also set the exitOnEmulatorURL option. If a shielded app is launched on an Android emulator, App Shielding terminates the app and opens a browser with the configured URL to display a web page with an explanation. For additional information, see Exit URL Launching.
The exitOnEmulator option is enabled by default and cannot be disabled for release builds.
Fixes and other changes
RASP-3638: Application froze because method was called from main thread
Description: App Shielding caused the application to freeze because ShieldConfig.requestUpdate was called from the main thread instead from a background thread.
Status: This issue has been fixed. The sample provided in the product package has been adapted accordingly.
Trusted accessibility service blocked
Description: If App Shielding is configured to block untrusted screen readers, which is the default setting, and a trusted accessibility service is enabled while the shielded application is running, the enabled accessibility service is blocked for the application even though it is trusted.
Status: This issue has been fixed. With this fix, enabled and trusted accessibility services are longer blocked.
Rare unexpected termination on startup
Description: In some rare cases App Shielding terminated unexpectedly when trying to lock a mutex (ptread_mutex_lock) on accessing the no.promon.shield.Binding.getStr string binding.
Researching this issue showed that this may have been caused by a shielded application that tries to load a string binding before App Shielding was completely loaded. Usually, the Shielding Tool ensures that App Shielding is loaded before executing any Java code that may want to use any string binding. However, the Shielding Tool is not able to trace all Java calls, for example if Java reflection is used.
The only way to fix such a situation is to ensure that a class that is loaded too early does not use any bindings. Since the Shielding Tool cannot detect all these cases automatically, you can tell the Shielding Tool about such a case by adding the following Shielding Tool rule to the Shielding Tool rules.cfg file:
~~~cfg
unbind com.example.MyClassThatIsLoadedTooEarly;
~~~
To help detecting such a case, App Shielding calls abort() when a class tries to get a string binding before App Shielding has been loaded on trying to gain a lock on the mutex, instead of crashing the application or causing an ANR. The debug version of App Shielding adds an adb logcat message when such a class requests a push binding. In that case you can see a logcat message like the following:
~~~log
We recommend to add 'unbind com.example.MyClassThatIsLoadedTooEarly;' to the rules.
~~~
SHAND-4140: Removed obsolete GET_TASKS permission from ShieldSDK-activity-guard
Description: To support Android versions before Lollipop (API 21, Android 5.0), ShieldSDK-activity-guard library declared android.permission.GET_TASKS in its manifest. This permission has been deprecated in Lollipop. Because App Shielding no longer supports any Android version before Lollipop and this permission caused a warning on Google Play, we have removed the permission from the ShieldSDK-activity-guard library and the sample provided in the product package.
SHD-4243: Unexpected terminations not reported to Crashlytics
Description: Certain unexpected terminations related to App Shielding features like KeyboardException and RootingException were not reported to Crashlytics due to a mismatch in the exception handler.
Status: This issue has been fixed. These Java stack traces from unexpected terminations will now be properly logged in Crashlytics.
SHAND-4245: Fix Shielding Tool limit for large applications
Description: On encoding a shielded application, the Shielding Tool had a limit of 42 classes.dex files. If the application had more classes.dex files, the Shielding Tool exited with the following message:
The application is too large to support adding Application Class. This is going to throw a ClassNotFound error at launch. Consider removing unnecessary code from your application.
Researching this issue showed that the applications that threw the mentioned ClassNotFound error at launch had inconsistent classes in their classes.dex files.
Status: This issue has been fixed. The classes of the application were been fixed and the Shielding Tool limit was removed. See also https://issuetracker.google.com/issues/37081229.
SHAND-4245: Fix false positiv on adb detection
Description: If ADB detection is enabled, App Shielding may have reported on some devices that ADB is active even though it was actually not active.
Status: This issue has been fixed.
ADB detection can be enabled by toggling the corresponding switch in your project configuration on the portal.
SHAND-4267: Fix unexpected termination of the Shielding Tool on encoding an application
Description: For some applications, the Shielding Tool terminated unexpectedly when encoding the application after applying bindings and string scrambling.
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
NFC payment failure in shielded apps with Thales Gemalto SDK
Description: When using the shielded version of the app, NFC payments fail. This is caused by a compatibility issue with the Thales Gemalto TSH Pay SDK which also provides debugger detection. The SDK incorrectly flags the App Shielding debugger detection as a native debugger.
Solution: Allowlisting. For implementations integrating both the Thales Gemalto SDK and App Shielding, debuggers coming from the SDK's own debugging processes and sub-processes should be added to an allowlist within theThales Gemalto SDK.
It is essential to not only add the processes to the allowlist but also their sub-processes. Otherwise, the SDK will still handle App Shielding as a native debugger!
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
New Android version with 16k page size
Google announced that Android is moving from a 4KB page size to a 16KB page size in Android15. 16KB page hardware will be available in the market in the future, as well. The current version of App Shielding does not yet run on the new Android 15 images with a 16KB page size, but OneSpan is working on updating the App Shielding native libraries to no longer assume that the page size is 4K.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
SecureEditText in-app keyboard
The SecureEditText in-app keyboard has focus problems on dialog windows on tablet devices.
Version 6.5.2 (April 2024)
Supported platform versions
- App Shielding version 6.5.2 was successfully tested with Android 14.
- Android 5.0 (API level 21) – Android 14 (API level 34).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.
The plugin and documentation can be downloaded from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 14.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
Fixes and other changes
SHAND-4015: Shielding Tool keeps ProGuard mapping numbers
Description: When protecting the app, the Shielding Tool calculates a new ProGuard mapping file which contains both the obfuscation from ProGuard/R8 and the obfuscation from the Shielding Tool. The input ProGuard/R8 mapping file might include line number information about methods that have been inlined by ProGuard/R8. Previously, the Shielding Tool removed any information about such inline methods and their line numbers.
Status: This issue has been fixed. The Shielding Tool now keeps that information in the output mapping.
SHAND-4182: Improved repackaging detection
Description: App Shielding now has an improved repackaging detection.
SHAND-4186: Shielded app showed blank screen
Description: In specific scenarios, a shielded app showed a blank screen. This was caused by the App Shielding runtime performance improvements implemented in versions 6.5.0 and 6.5.1. These improvements moved some screenshot blocking to a background thread. However, some Android versions require some of the work to be done on the UI thread.
Status: This issue has been fixed.
The default configuration in App Shielding is to block screenshots.
SHAND-4192: Shielded app did not block untrusted screen reader application
Description: In specific scenarios, a shielded app did not block an untrusted screen reader application. This was caused by the App Shielding runtime performance improvements implemented in version 6.5.1. These improvements moved some screen reader protection to a background thread. However, some Android versions require some of the work to be done on the UI thread.
Status: This issue has been fixed.
The default configuration in App Shielding is to block untrusted screen readers.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
New Android version with 16k page size
Google announced that Android is moving from a 4KB page size to a 16KB page size in Android15. 16KB page hardware will be available in the market in the future, as well. The current version of App Shielding does not yet run on the new Android 15 images with a 16KB page size, but OneSpan is working on updating the App Shielding native libraries to no longer assume that the page size is 4K.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Version 6.5.1 (March 2024)
Supported platform versions
- App Shielding version 6.5.1 was successfully tested with Android 14 beta 5.
- Android 5.0 (API level 21) – Android 14 (API level 34).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
The App Shielding Gradle plugin 2.0 supports Android App Bundles and newer Android build versions.
The plugin and documentation can be downloaded from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 14.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
Fixes and other changes
SHAND-4073: R8 optimization with ShieldSDK-secure-local-storage
Description: R8 that is provided with AGP 8.x adds a stronger minimization step that causes an unexpected runtime termination with applications that use ShieldSDK-secure-local-storage.
Status: This has been fixed in the ShieldSDK-secure-local-storage package.
SHAND-4085: Performance improvements
Description: Improved performance by optimizing code that handles security checks when the app receives or changes focus.
SHAND-4106: Unexpected termination on Huawei and Honor devices
Description: App Shielding 6.5.0 introduced a new detector for KernelSU and Magisk Hide. That detector caused an unexpected termination on a few Huawei and Honor devices. The new detector is now temporarily disabled until we have a proper fix in place. One consequence is that KernelSU and Magisk Hide detection are less strong.
SHAND-4113: Issue when signing an Android app bundle with the Shielding Tool
Description: When shielding an app bundle together with the Shielding Tool signing options (--keystore my-keystore.jks ...) and using the option --digestalg to select a digest algorithm, the Shielding Tool translated the digest algorithm name-to-name which, however, was rejected by the Google Play Store on trying to publish the app bundle. For example, on using the command line argument --digestalg SHA-256, the Shielding Tool translated that to the name "SHA256". While that is a valid name for jarsigner, the Google Play Store accepts only names with a dash, e.g., "SHA-256".
Status: This issue has been fixed. Now the Shielding Tool uses the name with a dash.
If you used the Shielding Tool to sign the app bundle, but did not specify the --digestalg option, the Shielding Tool uses the current default digest algorithm, which is SHA-256 or SHA-384, depending on the Java runtime.
SHAND-4146: Issue with ClassNotFoundException runtime exception on loading a layout resource file
Description: If an app uses a layout resource file that uses an app:layoutManager attribute with a "@string/..." value, the Shielding Tool wrote the layout resource file with a wrong value in the shielded app. That caused the app to lookup a class with a wrong name and thus it exited with java.lang.ClassNotFoundException.
Status: This issue has been fixed.
~~~
<androidx.recyclerview.widget.RecyclerView
android:id="@+id/example"
app:layoutManager="@string/my_layout"... />
~~~
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Magisk and root hider tools on new Android versions
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
New Android version with 16k page size
Google announced that Android is moving from a 4KB page size to a 16KB page size in Android15. 16KB page hardware will be available in the market in the future, as well. The current version of App Shielding does not yet run on the new Android 15 images with a 16KB page size, but OneSpan is working on updating the App Shielding native libraries to no longer assume that the page size is 4K.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Version 6.5.0 (March 2024)
Supported platform versions
- App Shielding version 6.5.0 was successfully tested with Android 14.
- Android 5.0 (API level 21) – Android 14 (API level 34).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
-
The App Shielding Gradle plugin version 2.0 and later is supported.
This plugin supports Android App Bundles and newer Android build versions.
You can download the plugin and documentation from:
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 14.
As of March 1, 2024, App Shielding for Android version 4.3.11.78273 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal at https://cp.onespan.com/.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
Deprecated APIs
The API for the deprecated ForegroundOverrideData feature has been removed and is no longer supported.
Deprecated methods
The CallbackManager.setExtendedObserver(observer) and CallbackManager.removeObserver() methods have been deprecated and will be removed in one of the upcoming versions of App Shielding, Instead of these, use
- CallbackManager.addObserver(observer)
- CallbackManager.removeObserver(observer)
New features and other updates
Automatic detection of FjordPhantom anti-malware
The Shielding Tool now detects the FjordPhantom malware automatically, the specific plugin has been removed from App Shielding.
For App Shielding 6.0.2, a dedicated FjordPhantom anti-malware plugin was provided. When shielding the app, a Shielding Tool command-line option was needed to apply this plugin during shielding. No further configuration was necessary.
As of App Shielding 6.5.0, the dedicated plugin is no longer required as this check is now offered by default as part of the product. FjordPhantom will be detected either by the Hooking Framework detection or the Virtual Space App detection, and App Shielding uses callback and/or exit-on mechanisms that come with these checks. No further FjordPhantom-specific configuration options are needed.
New configuration options
Two new configuration options have been added:
-
Trusted Virtual Space App Signatures
If you enable this option, you can add the signing certificate of a trusted virtual space app to an allowlist. With this, App Shielding accepts all virtual space apps signed with this certificate.
-
Additional Trusted Installer Signatures
If you enable this option, you can add the signing certificate of a trusted app store on an allowlist when the Check untrusted installer option is enabled.
For more information, see Configuration of App Shielding for Android apps.
No longer distrust system keyboards on rooted devices
App Shielding used to distrust system keyboards on rooted devices. This made it more complicated for applications that did not care about running on rooted devices but did care about keyboards. That is, with an App Shielding configuration that did not exit on detecting a rooted device but exited if an untrusted keyboard was used, you had to add the application signatures for all keyboards that were pre-installed by mobile vendors because App Shielding did not trust them anymore.
In the past, your App Shielding configuration may have included the following:
Exit on rooting: OFF
Exit on untrusted keyboard: ON
Additional trusted keyboard signatures: signatures added
However, distrusting system keyboards on rooted devices does not add much extra security. From now, you no longer have to add the signatures of pre-installed keyboards.
If you want to protect the app against being run on rooted devices you can apply the following configuration settings:
Exit on rooting: ON
Exit on utrusted keyboard: ON
Third-party code: LibreSSL upgraded
The third-party library LibreSSL has been upgraded to version 3.8.1.
Fixes and other updates
Improved Shielding Tool class name obfuscation
The class name obfuscation of the Shielding Tool has been improved.
Fixed App Shielding runtime file descriptor leak
A leak of the App Shielding runtime file descriptor has been fixed.
Documentation fixes: details for callback methods missing
Description: The methods for the VIRTUAL_SPACE_APP and EmulatedInputData callbacks were missing from the list of callback data classes.
Status: The documentation has been updated. The methods have been added to the Callback data classes table in the Mobile Application Shielding Integration Guide for Android.
Documentation fixes: incorrect dependencies for configuration options
Description: The Mobile Application Shielding Integration Guide for Android listed incorrect dependencies for the following configuration options:
- Exit on untrusted installer
- Allow work profile and device vendor virtual spaces
- Exit when developer options enabled URL
Status: The documentation has been updated. The correct dependencies are now listed in the Configuration options table of the Mobile Application Shielding Integration Guide for Android.
Documentation fixes: unused error message removed
Description: Error code 18, Screen Mirroring in Use, had been listed incorrectly in the Mobile Application Shielding Integration Guide for Android.
Status: The documentation has been updated. The error code has been removed.
SHAND-3165: Fixed Shielding Tool warnings about configuration options
Description: The Shielding Tool prints a dependency warning if App Shielding contains a configuration that depends on a second configuration which is disabled. Previously, the Shielding Tool printed such a warning in some cases even if the configuration was not explicitly set in the App Shielding configuration.
Status: This issue has been fixed. Now the Shielding Tool warnings are reliably correct again.
SHAND-3426: Improved App Shielding runtime Java debugger detection
The debugger detection for App Shielding runtime Java has been improved. App Shielding now checks more frequently for an attached Java debugger.
SHAND-3666: Improved hiding of App Shielding
Description: Previously, each version of App Shielding had a fixed random native library name (e.g., libneanmmkiaomc.so). Often, this random name allowed easy identification of App Shielding.
Status: This issue has been fixed. Instead of using such a random name, the Shielding Tool now takes the application's package name and uses that as inspiration for a library name that looks unsuspicious. Thus, the App Shielding library name will now look like it is related to the public, visible package name.
SHAND-3720: Fixed Java class name obfuscation
Description: An issue with the Java class name obfuscation was fixed. The Shielding Tool previously failed to obfuscate all classes if you enabled full Java class name obfuscation.
Status: This issue has been fixed. All Java class namees can now be obfuscated via the following line in a rules.cfg file:
~~~
cfg
include "builtin:obfuscate-on.cfg";
~~~
SHAND-3730: Fixed unexpected termination with UnsupportedOperationException
Description: An unexpected termination with the UnsupportedOperationException was fixed. This occurred when the Shielding Tool tried to detect the set of supported native library architectures for the input application.
SHAND-3766 and SHAND-3895: App Shielding runtime performance
Description: The startup performance has been improved. App Shielding moved the execution of slow security checks from the initial startup to a background thread and optimized the remaining code. The protected application will now start a bit faster than with previous versions of App Shielding.
SHAND-3784: Fixed issue with internal error reporting
Description: An issue with the internal error reporting caused App Shielding to sometimes report an internal error as a HookingFrameworkException instead of an InternalErrorException.
Status: This issue has been fixed.
SHAND-3800: Fixed unexpected termination when starting a shielded app
Description: When a shielded app was started on a Lenovo TB-X104F device running Android, the app terminated unexpectedly. This occurred when the Advanced debug guard configuration option was enabled. This configuration option increases the security of the shielded app.
Status: This issue has been fixed.
SHAND-3824: Fixed the handling of mapping files inside an app bundle
Description: An issue with handling mapping files inside an app bundle was fixed. The Shielding Tool adds/updates the mapping file inside an app bundle with the Java name obfuscation that was added by the Shielding Tool.
Improved detection mechanisms
Description: A number of detection mechanisms has been improved. These improvements are:
-
Improved rooting detection. The detection of devices rooted with rooting toolkits like Magisk manager, Magisk Hide, KernelSU, and Zygisk has been improved.
-
Improved hooking framework detection. The detection of the following hooking frameworks has been improved:
- LSPosed
- MultiApp
- Riru
- XPosed
-
Improved native code hook detection.
App Shielding has been improved in detecting hooking frameworks that inject hooks into the application's native libraries. As part of the native code hook detection, App Shielding can be configured to verify the native libraries of your app. For example, your rules.cfg file can use the following line:
~~~
cfg
verify "lib/arm64-v8a/libmy-native.so";
~~~The App Shielding native library is always verified. Other native libraries of the application need to be added explicitly. In some situations, App Shielding encountered a race condition when the application loaded several native libraries from different threads. This could have caused a false positive. Now, the race condition is properly handled.
-
SHAND-3804 and SHAND-3937: Improved emulator detection. The detection of the mogume cloud emulator and BlueStacks emulator has been improved.
-
SHAND-3973: Improved ADB status detection.App Shielding now detects if Android Developer Bridge (ADB) has been enabled with tools like the WADB - Wireless ADB enabler. This tool can enable ADB without changing the Android system settings. For more information, refer to the Play Store page on WADB.
SHAND-3865: Fixed parsing applications that used non-ASCII characters
Description: An issue occurred with parsing applications that used non-ASCII characters in field names. This affected application code that referenced an obfuscated field name in an annotation value, where the field name was obfuscated with non-ASCII characters.
Status: This issue has been fixed.
SHAND-3901 and SHAND-3938: Fixed false positive on emulated input detection
Description: When the Block emulated input option was enabled, App Shielding incorrectly blocked input that was actually not emulated.
Status: This issue has been fixed.
Improved navigation obfuscation
Several navigation obfuscation mechanisms have been improved:
-
Obfuscation of navigation actions: If a navigation component uses an action element with an app:argType, and the class name of that app:argType is obfuscated, the Shielding Tool now correctly updates the resource file with the obfuscated class names. Without this fix, the application would crash when trying to use the action.
~~~
xml
<navigation ...>
<fragment ....>
<action
android:name="exampleData"
app:argType="com.example.DataType" />
</fragment>
</navigation>
~~~For more information, refer to Use Navigation actions and Fragments in the Android Developer documentation.
-
SHAND-3899: Obfuscation of navigation dialogs: If a navigation component uses a dialog element and the class name of that dialog is obfuscated, the Shielding Tool now correctly updates the resource file with the obfuscated class names. Without this fix, the application would crash when trying to load the dialog.
~~~
xml
<navigation ...>
...
<dialog....>
android:id="@+id/myDialog"
android:name="com.example.MyDialog"
android:label="MyDialog" />
</navigation>
~~~For more information, refer to Dialog destinations in the Android Developer documentation.
SHAND-3922: Support Shielding Tool rules with volatile and transient flags
Shielding Tool rules can now use the flags volatile and transient when selecting methods.
To obfuscate all volatile methods, your rules.cfg file can use the following:
~~~
cfg
match class * { obfuscate volatile *; }
~~~
SHAND-3923: Fixed race condition on excluding activities from screenshot protection
Description: App Shielding can be configured to block all screenshots and given rules that allow screenshots on selected activities. You can block screenshots by enabling the Block Screenshots option on the App Shielding Configuration page in the OneSpan Customer Portal.
In the Shielding Tool rules.cfg file, you can override this setting by allowing screenshots for one or more individual activities.
~~~
cfg
allowScreenshotsForActivity com.example.MyScreenShotEnabledActivity;
~~~
In some cases, when the application switched from an activity for which screenshots were blocked to an activity for which screenshots were explicitly allowed, App Shielding did not unblock the screenshots due to a race condition.
Status: This issue has been fixed.
SHAND-3975 and SHAND-3982: Fixed unexpected terminations of the Shielding Tool
Description: The Shielding Tool failed to protect some applications due to unexpected Java byte code. Also, the Shielding Tool terminated unexpectedly with ConcurrentModificationException.
Status: These issues have been fixed.
SHAND-3985: Fixed Shielding Tool rules that used annotations
Description: For rules that used annotations the Shielding Tool did not match the annotations correctly.
Status: This issue has been fixed.
If you do not want to obfuscate any members that are annotated with the gson @SerializedName annotation, your rules.cfg file can now use the following without any issues:
~~~
cfg
match class * {
preserve @com.google.gson.annotations.SerializedName <members>;
}
~~~
SHAND-3993: Extended the ShieldSDK callbacks for untrusted installer apps
Description: App Shielding now reports all found untrusted installer apps in the ShieldSDK callbacks.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Magisk and root hider tools on new Android
Root hider tools such as Magisk Hide are designed to hide the fact that the device is compromised (rooted). Android has been increasingly restricted in what can be inspected and observed of the system from inside an app. This means that a rooted system with a root hider tool can be hard to detect due to missing privileges.
On Android 8+, App Shielding may not able to reliably detect a rooted device with Magisk Hide depending on the version of these tools.
New Android version with 16k page size
Google announced that Android is moving from a 4KB page size to a 16KB page size in Android15. 16KB page hardware will be available in the market in the future, as well. The current version of App Shielding does not yet run on the new Android 15 images with a 16KB page size, but OneSpan is working on updating the App Shielding native libraries to no longer assume that the page size is 4K.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Version 6.0.2-PATCH (December 2023)
Supported platform versions
- App Shielding version 6.0.2-PATCH was successfully tested with Android 14.
- Android 5.0 (API level 21) – Android 14.
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Android platform updates
The Android minimum supported version is 5.0 (API level 21). This version of App Shielding supports Android 15.
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
New anti-malware plugin
A new anti-malware plugin has been included in Mobile Application Shielding to target a new Android malware, FjordPhantom. App Shielding now allows effective detection of FjordPhantom.
This anti-malware plugin works independently. If the plugin detects FjordPhantom, it will cause the application to crash and eventually exit. Mobile Application Shielding does not provide an exit code, but causes an obscure crash, indicating an error about library loading. If you have other Exit features in place, the provided exit code will depend on those exit features.
About FjordPhantom
Since September 2023, FjordPhantom is targeting mobile banking applications in Southeast Asia, Singapore, and Malaysia. It operates differently compared to earlier Android malware. While the most prevalent Android malware abuses the Android accessibility feature to conduct overlay attacks and harvest sensitive information, FjordPhantom uses a novel technique based on virtualization. It combines multiple open source tools including an Android virtualization framework and a hooking framework to perform its attacks. Virtualization apps such as Parallel Spaces and DualSpaces allow multiple installs of the same application on a single mobile device, each in its own virtual container.
In case of FjordPhantom, the complete target app's APK is embedded inside the malware. After downloading, installing, and launching the malware, the user will see the same as if they were running the target app itself. The Android OS however will not be aware that the embedded target app is running since only the wrapping malware is running. Through virtualization, the malware has placed itself between the Android OS and the embedded target app, and both are running inside the same process on the Android OS. This effectively removes any protection offered by the strong sandboxing between two apps running on Android.
FjordPhantom malware does not attack other applications that are running on the user's device but only attacks the victim app that has been embedded. This makes the FjordPhantom malware less scalable, but more powerful.
Since the malware, together with its embedded target app, are seen as a new application by the Android OS, installation of the malware will not affect any existing installations of the target app on the device. Nor will the malware be able to access data (such as cryptographic keys or credentials) owned by the existing installation.
The following are the advanced capabilities of FjordPhantom and its variants:
-
Inject code through code hooking in the embedded target app on non-rooted devices
Benign virtualization apps rely heavily on code hooking to allow their hosted apps to work correctly. This code hooking is extended by FjordPhantom to offer various advanced attack capabilities:
-
Evade detection: By hooking selected calls to the Android OS that are necessary to obtain information about whether a device is rooted etc. and returning bogus information, the malware evades detection by the embedded app.
-
Hide information from the user: FjordPhantom also contains code hooks that close dialog boxes with security warnings to the user before the user can see them on the screen.
-
-
Full access to all data stored by the embedded target app
The malware has full access to all data stored by the embedded target app because it runs on a virtual file system under full control of the malware.
-
Evade repacking detection
Traditional malware that uses repackaging decompiles a target app, inserts additional code, and rebuilds the app into a new, malicious version of itself. However, many security-sensitive apps are tailored to detect this type of repackaging. With FjordPhantom, however, the detection fails because the original target app is not modified in any way.
The new App Shielding plugin can be enabled or disabled via the OneSpan Customer Portal at https://cp.onespan.com. By default, it is disabled.
New configuration options
You can configure Mobile Application Shielding to cause the app to shut down when it detects emulated input or the app to have been launched via a virtual space application. The corresponding error codes are:
- 1d: Application is launched via Virtual space application
- 1f: Emulated input is detected.
For a list of all error codes, refer to the Mobile Application Shielding Integration Guide for Android, App Shielding Error Reporting - Android.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 6.0.2 (November 2023)
Supported platform versions
- App Shielding version 6.0.2 was successfully tested with Android 14.
- Android 5.0 (API level 21) – Android 14.
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Android platform updates
The Android minimum supported version is Lollipop-5.0 (API level 21).
This version of App Shielding supports Android 14.
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
Multiple trusted displays
It is now possible to have multiple trusted displays. Several display names can be entered in the Additional Display Name field on the Configuration page of the OneSpan Customer Portal.
New configuration options
App Shielding now offers the following new options on the Configuration page of the OneSpan Customer Portal:
Exit on app in virtual space
Determines whether to exit the app when the application is launched via a virtual space app.
Exit on app in virtual space URL
Depends on: Exit on app in virtual space
Allow work profile and device vendor virtual spaces
Allow virtual spaces and work profiles or managed devices provided by device vendors such as Google Workspace, Samsung Secure Folder, Xiaomi Dual Apps, Microsoft Workspace, etc.
Fixes and other changes
Deprecated features
Foreground override detection
The foreground override detection feature has been removed and is no longer supported. The related ShieldSDK-callback class ForegroundOverrideData may be removed any time.
setExtendedObserver, removeObserver methods
In module ShieldSDK-callbacks, package no.promon.shield.callbacks: In class "CallbackManager" the following methods have been deprecated:
- static void setExtendedObserver(Context, ExtendedObserver)
- static void removeObserver()
Instead of these, use the new methods:
- static void addObserver(Context, ExtendedObserver)
This allows to add more than one callback observer.
- static void removeObserver(ExtendedObserver)
To remove an observer instance, you need to pass the observer instance that you want to remove as an argument.
Fixes
SHAND-1665: Fix information about more than one detected untrustred screenreader
Description: In module ShieldSDK-callbacks, package no.promon.shield.callbacks: If App Shielding is configured to check for trusted screenreaders, <checkTrustedScreenreaders v="true" />, the callback data ScreenreaderData has now information about all detected active, untrusted screenreaders. Previously the callback data reported only one of the detected active, untrusted screenreaders.
SHAND-3730: Fix unexpected termination in the Shielding Tool on detecting the supported architectures
Description: In some rare cases the Shielding Tool terminated unexpectedly with an UnsupportedOperationException when it tried to detect the set of supported native library architectures for the input application.
Status: This issue has been fixed.
SHAND-3784: Fix internal error reporting
Description: An internal error in App Shielding was sometimes reported as a HookingFrameworkException instead of an InternalErrorException.
Status: This issue has been fixed.
SHAND-3800: Fix unexpected termination on starting a shielded app on Lenovo TB-X104F, Android 8.1.0
Description: If the App Shielding configuration option advancedDebugGuard is enabled, the shielded app terminated unexpectedly on a Lenovo TB-X104F device.
Status: This issue has been fixed. The advancedDebugGuard configuration option increases the security of the shielded app.
SHAND-3909: Fix triggering of Exit on Hooking Frameworks URL
Description: Even if Shutdown Immediately is off, Exit On Hooking Frameworks URL was not triggered.
Status: This issue has been fixed.
SHAND-4017: False-positive root detection—MagiskDetector
Description: False-positive root detection was caused by the fact that the package name of this application starts with the magisk manager delta’s package name.
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 6.0.1 (September 2023)
Supported platform versions
- App Shielding version 6.0.1 was successfully tested with Android 14 beta 5.
- Android 5.0 (API level 21) – Android 14 beta 5 (API level 34).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Android platform updates
The Android minimum supported version is Lollipop-5.0 (API level 21).
This version of App Shielding supports Android 14 beta 5 (API level 34).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Deprecations
Platform minimum supported versions
Android 4.4 (API levels 19 and 20) are no longer supported by App Shielding. The new minimum supported version is Android Lollipop 5.0 (API level 21).
Android Native Development Kit (NDK)
Google has announced that Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding switches to NDK r26 after its release as LTS version.
New features and other updates
Support for Amazon App Store publishing
[Introduced in version 5.5.0]
Amazon App Store modifies your application's files. For all applications, Amazon App Store injects some code and files into the application. This modification triggers the default repackaging checks of App Shielding.
Now the Shielding Tool provides a collection of Shielding Tool rules to skip the integrity check of the files that are known to be modified by Amazon App Store. To use these rules, add the following include statement to your Shielding Tool rules:
.my-rules.cfg:
---
include "builtin:amazon-app-store-support.cfg";
---
These rules should only be used if you intend to publish your application through the Amazon App Store.
For more information, refer to the Mobile Application Shielding Integration Guide.
Improved detection of Virtual Space Apps
Virtual app space detection can be enabled with the App Shielding check app in virtual space option.
If that option is enabled, App Shielding detects if the application was launched as a copy inside applications such as Parallel Space, Dual Space, or similar. App Shielding can also detect virtual app spaces and work profiles or managed devices provided by device vendors such as Google Workspace, Samsung Secure Folder, Xiaomi Dual Apps, Microsoft Workspace, etc. By default these are not reported as "virtual app spaces", but you can use the allow work profile and device vendor virtual spaces App Shielding configuration setting to report those as well as "virtual app space".
Option to exclude an activity from screenshot protection
[Introduced in version 5.4.0]
If App Shielding is configured with blockScreenshots to block screenshots from being taken of the app, then the Shielding Tool rule allowScreenshotsForActivity can be used to exclude an activity class from this block. That is, adding the following Shielding Tool rule tells App Shielding to allow screenshots if the specified activity is visible, even if blockScreenshots is enabled.
Improved detection of hooking frameworks, hiders, native code hooks
App Shielding has improved the detection of hooking frameworks, root hider applications, and native code hooks. Thus App Shielding Shield detects most versions of
- Frida/Frida stalker
- LSPosed
- Magisk Delta
- Magisk Manager
Improved emulator detection: detect VMOS Emulators
[Introduced in version 5.4.0]
VMOS is an Android application, which can create emulators on an Android device. VMOS provides the possibility to create highly configurable emulator images. Some of these images may be rooted, some may have Xposed installed. VMOS Emulator detection is part of the check Emulator and exit On Emulator App Shielding settings.
Detect new input sources as emulated input
Non-physical inputs (motion/keyboard events) are characterized as an emulated input. The emulated inputs might be originated from ADB, auto-click applications, screen-mirroring applications, screenreader applications, etc. The emulated input detection can be enabled with the check emulated input App Shielding configuration option.
The improved algorithm now detects more emulated input sources, for example, Vysor and Anydesk are now detected.
New configuration options
Allow Work Profile And Device Vendor Virtual Spaces
See Improved detection of Virtual Space Apps.
Check Untrusted Installer Mode
Configures the mode for the untrusted installer check (see the description of checkUntrustedInstaller in the Mobile Application Shielding Integration Guide). The option can be set to one of the following values:
- * "all"::
Check all the apps that are installed on the device. This is the default value. - * "sideloaded-apps-only"::
Check only the apps that are sideloaded, that is, installed via adb.
Fixes and other changes
Fixed performance regression
Description: A performance regression was fixed where a shielded application unnecessarily spent too much time for some of its security checks.
Deprecated --profile Shielding Tool command line option
Description: The Shielding Tool command line option --profile [release, debug] is deprecated. Now, the Shielding Tool uses release by default. Use --debug instead of --profile debug.
Removed --obfuscate on Shielding Tool command line option
Description: The deprecated Shielding Tool command line option --obfuscate [on, default] has been removed. Instead, use the Shielding Tool rules configurations. The removed option --obfuscate on has the same effect as the following rule in your Shielding Tool rules configuration:
.my-rules.cfg:
---
include "builtin:obfuscate-on.cfg";
---
Only add x86/x86_64 support if explicitly specified
App Shielding supports the four architectures arm64-v8a, armeabi-v7a, x86_64, and x86.
If an application has native libraries, the Shielding Tool will add the App Shielding library for all architectures that are supported by the application.
Previously, Shielding Tool added App Shielding for all four architectures when the application had no native libraries. This has been changed to only add the arm64-v8a and armeabi-v7a architectures. With this, the shielded app will be smaller: the x86_64 and x86 App Shielding libraries add a size of ~5 MB to the application.
SHAND-3502: Fix mapping.txt for Crashlytics
Description: Crashlytics needs a mapping.txt that contains entries for both obfuscated and not obfuscated classes and members. Previously, the Shielding Tool wrote only the classes and members that were obfuscated.
Status: This issue has been fixed. Now, the Shielding Tool also writes the names that are not obfuscated.
SHAND-3509: Fix callback data of UntrustedSourceAppData
Description: The signer name of the installer of the untrusted source application was reported wrong, that is, the string returned by UntrustedSourceAppData.getUntrustedSourceAppInstallerSignerName(index). That return value was the signer name of the untrusted source application itself.
Status: This issue has been fixed.
The other data (signature, package name, etc.) are reported correctly.
SHAND-3514: Improve adb status detection
Description: If App Shielding is configured with <checkAdbStatus v="true" />, previous versions of App Shielding reported adb as inactive, even though adb was still active, if the developer option was disabled with the adb command:
---bash
$ adb shell settings put global development_settings_enabled 0
---
Status: This issue has been fixed.
SHAND-3527: Support the new Android 12 - 14 garbage collector
Description: Android versions 12-14 have a new garbage collector (GC) implementation. This GC caused an ANR with App Shielding 5.6.0 resp. 5.0.5 and earlier.
Status: This issue has been fixed.
SHAND-3528: Fix callback data of VirtualSpaceAppData
Description: The app version and app name (of the virtual space app) were switched.
Status: This issue has been fixed.
SHAND-3532: Improved untrusted keyboard detection
Description: On Android 13 or later it was possible to switch from a trusted to an untrusted keyboard while editing a text in the app without App Shielding noticing the change.
Status: This issue has been fixed. Now App Shielding detects such a change.
SHAND-3576: Fix unexpected termination of application on automated Google Play testing
Description: Automated Google Play testing runs the application with the package ID androidx.test.tools.crawler.stubapp. That caused a shielded app to terminate unexpectedly.
Status: This issue has been fixed.
SHAND-3587: Fix ShieldSDK-secure-app-rom proguard rules
Description: Proguard/R8 started to obfuscate/minimize some members of the ShieldSDK-secure-app-rom classes. That caused applications to terminate unexpectedly that used the ShieldSDK-secure-app-rom.
Status: This issue has been fixed.
SHAND-3626: Fix reporting screen-mirroring blocking in the callbacks
Description: If screen-mirroring is blocked, App Shielding reported in some situations in the callback that screen-mirroring was not blocked, though App Shielding did block it.
Status: This issue has been fixed.
SHAND-3628: Fix reporting data in the KeyboardData callback
Description: If the user switches to an untrusted keyboard while the application is running and the untrusted keyboard declares its service as export="false" (in its AndroidManifest.xml), App Shielding reported the previous keyboard data in the untrusted keyboard callback event. If a keyboard uses export="false", App Shielding cannot query the keyboard data (package name, signer, etc.).
Status: This issue has been fixed. With this fix, App Shielding will report empty names instead of the names of the previous keyboard.
SHAND-3720: Fixed Java class name obfuscation
Description: The Shielding Tool failed to obfuscate all classes if you enabled full Java class name obfuscation by including the following Shielding Tool rules configuration:
.my-rules.cfg:
---
include "builtin:obfuscate-on.cfg";
---
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Java Runtime Environment 17
Some versions of Java Runtime Environment (JRE) 17 cause the following error on shielding an app:
---
Error: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)
---
The error is caused by a problem with Java. A workaround is to pass the command line option
-Djdk.util.zip.disableZip64ExtraFieldValidation=true
to Java on running the Shielding Tool, that is:
---bash
$ java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar Shielder.jar ...
---
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.7.2 (August 2023)
Supported platform versions
- App Shielding version 5.7.2 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Deprecations
Google has announced that the next Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding will switch to NDK r26 after its release as LTS version which is expected for Q3 2023.
Android platform updates
The Android minimum supported version is Lollipop-5.0 (API level 21).
This version of App Shielding supports Android 14 beta 5 (API level 34).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Fixes and other changes
RASP-2935: Increased APK size for shielding
Description: The size limit for uploading an APK has been increased to 4 GB.
SHAND-3532: Improved untrusted keyboard detection
Description: On Android 13 or later it was possible to switch from a trusted to an untrusted keyboard while editing a text in the app without App Shielding noticing the change.
Status: This issue has been fixed. App Shielding now detects such a change.
SHAND-3557: Improved LSPosed detection
Description: The LSPosed detection has been improved, this is now part of the App Shielding hooking framework detection.
SHAND-3564: Improved PIPL integration
Description: If PIPL support is activated (that is, <PIPLSupport v="true" /> in the App Shielding configuration file, config.xml) and the application had only two activities (one consent activity followed by the main application activity) then some of the App Shielding security checks may not have been triggered when opening the main application activity. This has been improved to ensure that all enabled security checks are started after the consent activity.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.7.1 (July 2023)
Supported platform versions
- App Shielding version 5.7.1 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11 or 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Deprecations
Google has announced that the next Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding will switch to NDK r26 after its release as LTS version which is expected for Q3 2023.
Android platform updates
The Android minimum supported version is 4.4 (API level 19).
This version of App Shielding supports Android 14 beta 3.
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Fixes and other changes
RASP-2791: False positives for screen mirroring or sharing on certain Xiaomi devices
Description: On certain Xiaomi devices running Android 13 and/or MIUI 14, false positive screen mirroring detection has occurred. To fix this issue, we have added a new parameter, Additional Display Name. This allows you to add a trusted display and so avoid false positive screen mirroring or screen sharing detection.
SHAND-3537: Improved detection of Magisk Delta
Description: This release of App Shielding includes additional checks to detect the presence of Magisk Delta.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.7.0 (July 2023)
Supported platform versions
- App Shielding version 5.7.0 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11 or 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Deprecations
Google has announced that the next Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding will switch to NDK r26 after its release as LTS version which is expected for Q3 2023.
Android platform updates
The Android minimum supported version is 4.4 (API level 19).
This version of App Shielding supports Android 14 beta 3.
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
New features and other updates
Option to check for an untrusted installer
A new option is available to check for an untrusted installer where you can configure the mode for the untrusted installer check.
Depends on the setting of Query All Packages Permission and checkUntrustedInstaller!
Option to exclude an activity from the screenshot block
An option has been added to exclude an activity from the screenshot block. This can be used for apps that want their users to take a screenshot of a specific activity to verify payments, receipts, etc.
If App Shielding is configured with blockScreenshots to block screenshots from being taken of the app, that is, in config.xml:
---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
<config>
<blockScreenshots v="true" />
...
</config>
</shield>
---
Then the Shielding Tool rule allowScreenshotsForActivity can be used to exclude an activity class from this block. That is, adding this rule in rules.cfg:
---
allowScreenshotsForActivity com.example.DontBlockScreenshotsFromMyActivity;
---
tells App Shielding to allow screenshots if the specified activity is visible, even blockScreenshots is enabled. The argument for allowScreenshotsForActivity is the class name of an activity.
New rooting check
The rooting check scans and detects root hider applications and is designed to detect rooting packages which have been hidden by advanced tools such as Magisk Manager. The check is executed as part of the rooting check.
LSPosed hooking framework detection
App Shielding now detects if the LSPosed hooking framework is installed on a device and targets a shielded app.
Detection of VMOS emulators
VMOS is an Android application, which can create emulators on an Android device. VMOS provides the possibility to create highly configurable emulator images. Some of these images may be rooted, some may have Xposed installed. VMOS Emulator detection is part of the checkEmulator/exitOnEmulator App Shielding configurable (config.xml):
---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
<config>
<checkEmulator v="true" />
<exitOnEmulator v="true" />
...
</config>
</shield>
---
checkEmulator and exitOnEmulator are enforced for the release profile.
There may be VMOS images which are not yet detected by libshield as emulators. Rooted VMOS images may be detected as rooted. So it may be useful to enable checkRooting (is enforced for the release profile) and exitOnRooting:
---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
<config>
<checkEmulator v="true" />
<exitOnEmulator v="true" />
<checkRooting v="true" />
<exitOnRooting v="true" />
...
</config>
</shield>
---
Amazon App Store Support
Amazon App Store modifies your application's files. For all applications, Amazon App Store injects some code and files into the application. This modification triggers the default repackaging checks of App Shielding.
Now the Shielding Tool provides a collection of Shielding Tool rules to skip the integrity check of the files that are known to be modified by Amazon App Store. To use these rules, add the following include statement to your Shielding Tool rules:
------------
include "builtin:amazon-app-store-support.cfg";
------------
These rules should only be used if you intend to publish your application through the Amazon App Store.
For more information, refer to the Mobile Application Shielding Integration Guide.
Fixes and other changes
SHAND-3351: Support Android 14, beta 1—3
Description: Previous versions of App Shielding terminated unexpectedly when launching a shielded app on Android 14 beta because App Shielding uses some public APIs that were deprecated in Android 13 and caused an unexpected termination in Android 14. Java class was not available from the first classes.dex file.
Status: This issue has been fixed.
SHAND-3502, SHAND-3546: Fix mapping.txt for Crashlytics and writing mapping.txt
Description: Crashlytics needs a mapping.txt that contains entries for both obfuscated and not obfuscated classes and members. Previously, the Shielding Tool wrote only the classes and members that were obfuscated. Now, the Shielding Tool writes the not obfuscated names and members that were obfuscated. An issue introduced with this caused an obfuscated class to appear twice in the generated mapping.txt file: once with the original name mapping to the obfuscated name and another time with the obfuscated name mapping to itself:
com.exmaple.MyClass -> a.b:
...
a.b -> a.b:
...
Status: This issue has been fixed.: Only the mapping of the original name to the obfuscated name is written.
SHAND-3509: Fix the UNTRUSTED_SOURCE_APP callback data type
Description: If checkUntrustedInstaller is enabled in the App Shielding configuration, <checkUntrustedInstaller v="true" />, and App Shielding detected an app that was installed from an untrusted source, then the ExtendedObserver received a callback of type UntrustedSourceAppData. The signer name of the installer of the untrusted source application was reported wrong, that is, the string returned by UntrustedSourceAppData.getUntrustedSourceAppInstallerSignerName(index). That return value was the signer name of the unstrusted source application itself.
Status: This issue has been fixed.: The other data (signature, package name, etc.) are reported correctly.
SHAND-3514: Improve adb status detection
Description: If App Shielding is configured with <checkAdbStatus v="true" />, then previous versions of App Shielding reported adb as inactive if the developer option were disabled with the following adb command, even though adb was still active.
~~~
$ adb shell settings put global development_settings_enabled 0
~~~
Status: This issue has been fixed.:
SHAND-3527: Support the new Android 12—14 garbage collector
Description: Android 14 will be the first version that gets a new garbage collector (GC) implementation. That GC caused an ANR with App Shielding 5.6.0 and older. That GC will be rolled out by Google to Android 13 and Android 12 some time in August.
Any application that wants to support Android 12 and Android 13 needs to upgrade to this version of App Shielding (5.7.0). Applications that want to support Android 14 (and older) need to upgrade to this version of App Shielding (5.7.0). Otherwise the application will not work after the new GC is enabled.
Affected devices are those with Linux kernel 5.10 or above. To test the new GC you can use a recent AOSP on a Pixel 6 or later and run the following adb commands:
~~~
$ adb shell device_config set_sync_disabled_for_tests persistent
$ adb shell device_config put runtime_native_boot enable_uffd_gc true
$ adb reboot
~~~
To confirm that you have switched to the new GC or not using following command. There should be some log messages.~~~
$adb logcat | grep "concurrent mark compact"
~~~
SHC-297: Update org.apache.commons.text to version 1.10.0 in the Shielding Tool
Description The vulnerability CVE-2022-42889 is contained in org.apache.commons.text in version 1.5 to 1.9.
The version has now been updated, though the Shielding Tool never used any of the vulnerable code.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.0.5 (June 2023)
Supported platform versions
- App Shielding version 5.0.5 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11 or 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
Deprecations
Google has announced that the next Android Native Development Kit (NDK) (r26) will no longer support KitKat (API levels 19 and 20). The minimum version supported by the NDK for r26 will be Lollipop (API level 21).
App Shielding will switch to NDK r26 after its release as LTS version which is expected for Q3 2023.
Android platform updates
The Android minimum supported version is 4.4 (API level 19).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
New features and other updates
Changed naming scheme for bound package
We have changed the naming schema of the bound package contained within a .zip file. The file name prefix has changed from “wrapped” to “shielded”.
-
Old naming schema:
- wrapped-original package file name.original package file extension
-
New naming schema:
- shielded-original package file name.original package file extension
Changed obfuscation options
You can now customize the settings for obfuscation by defining rules in the Rules.cfg file. With this, you determine how App Shielding will modify the Android application, especially in the context of shielding and obfuscation.
This feature is only available if Default Obfuscate is disabled.
For examples and more information, refer to the sections on how to configure rules in the Shielding Tool and app obfuscation in theMobile Application Shielding Integration Guide.
Also, the toggle switch for the Default Obfuscate option in the OneSpan Customer Portal has been moved to the left column of the Settings section next to the Rules.cfg option. This serves to facilitate entering keywords for defining obfuscation rules.
Block emulated input
You can now prevent emulated from being injected into the screen.
Non-physical inputs (motion events) are known as emulated input. Emulated input might originate from the Android Debug Bridge (ADB), autoclick applications, screen-mirroring applications, screen reader applications, etc.
When enabled, App Shielding performs a security check to determine if the input is emulated or physical, and blocks input originating from all sources except physical input. The type of input can be touch and/or swipe events.
You can also define an emulated input threshold. App Shielding assigns a score value for each input to determine if the input might be emulated. Input scores above this threshold will be considered as emulated inputs.
When you enable Block emulated input, the portal displays the Emulated input threshold field where you can enter a number. The recommended value for this threshold is between 25 and 30. By default, this value is set to 30.
The following dependencies must be enabled to use the Block emulated input feature: Check rooting, Check trusted screenreaders, Check adb status.
For more information, refer to the sections with security features on Android on block emulated input and on configuration options for Android in the Mobile Application Shielding Integration Guide.
Fixes and other changes
RASP-3389: Shielding Tool loads application signer certificate
Description: The Shielding Tool can now load the application signer certificate from the apk if the app is signed with APK Signature Scheme 2 or 3 and no longer has the v1 Scheme Signature. The v1 Scheme Signature is no longer added for a default Android Studio project with minSdkVersion > 24. The APK signature is used in the App Shielding repackaging check when the application is configured with applicationSignerCertificate auto (this is the default) or original.
Example:
---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
<config>
<applicationSignerCertificate v="auto" />
<applicationSignerCertificate v="original" />
...
</config>
</shield>
---
For more information, refer to https://source.android.com/docs/security/features/apksigning.
SHAND-3416: Fix unexpected termination on Android 4.4
Description: App Shielding sometimes terminated unexpectedly on Android 4.4 because an internal App Shielding Java class was not available from the first classes.dex file.
Status: This issue has been fixed. This fix is only recommended if your application supports Android 4.4.
SHAND-3476: Fix unexpected termination on application start on Android versions 7 and earlier
Description: Some applications are optimized by R8 in Application.attachBaseContext() which causes a shielded application to terminate unexpectedly upon starting the application. This unexpected termination happens only on Android versions 7 and earlier.
Status: This issue has been fixed. Now the Shielding Tool can handle R8-optimized Application.attachBaseContext() correctly.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.0.3 (April 2023)
Supported platform versions
- App Shielding version 5.0.3 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11 or 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
The Android Native Development Kit (NDK) r24 stopped support of Jelly Bean (API 16, 17, and 18). The minimum version supported by the NDK for r24 and later is KitKat (API level 19). App Shielding has switched to Android NDK r25.
Android platform updates
The Android minimum supported version is 4.4 (API level 19).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
New features and other updates
Changed naming scheme for bound package
As of version 5.0.4, we will change the naming schema of the bound package contained within a .zip file. The file name prefix will change from “wrapped” to “shielded”.
-
Old naming schema:
- wrapped-original package file name.original package file extension
-
New naming schema:
- shielded-original package file name.original package file extension
Fixes and other changes
RASP-3389: Shielding Tool loads application signer certificate
Description: The Shielding Tool can now load the application signer certificate from the apk if the app is signed with APK Signature Scheme 2 or 3 and no longer has the v1 Scheme Signature. The v1 Scheme Signature is no longer added for a default Android Studio project with minSdkVersion > 24. The APK signature is used in the App Shielding repackaging check when the application is configured with applicationSignerCertificate auto (this is the default) or original.
Example:
---
<?xml version="1.0" encoding="UTF-8"?>
<shield>
<config>
<applicationSignerCertificate v="auto" />
<applicationSignerCertificate v="original" />
...
</config>
</shield>
---
For more information, refer to https://source.android.com/docs/security/features/apksigning.
SHAND-3416: Fix unexpected termination on Android 4.4
Description: App Shielding sometimes terminated unexpectedly on Android 4.4 because an internal App Shielding Java class was not available from the first classes.dex file.
Status: This issue has been fixed. This fix is only recommended if your application supports Android 4.4.
SHAND-3476: Fix unexpected termination on application start on Android versions 7 and earlier
Description: Some applications are optimized by R8 in Application.attachBaseContext() which causes a shielded application to terminate unexpectedly upon starting the application. This unexpected termination happens only on Android versions 7 and earlier.
Status: This issue has been fixed. Now the Shielding Tool can handle R8-optimized Application.attachBaseContext() correctly.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.0.2 (February 2023)
Supported platform versions
- App Shielding version 5.0.2 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11 or 17
- Mac OSX (10.9+)
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 2.0 and later are supported. ShieldGradlePlugin version 2 supports Android App Bundles and newer Android build versions.
The Android Native Development Kit (NDK) r24 stopped support of Jelly Bean (API 16, 17, and 18). The minimum version supported by the NDK for r24 and later is KitKat (API level 19). App Shielding has switched to Android NDK r25.
Android platform updates
The Android minimum supported version is now 4.4 (API level 19).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Fixes and other changes
SHAND-3189: Fix downloading updatable configuration when the application exits early
Description: App Shielding failed to download the updatable configuration when the application exited early.
Status: This issue has been fixed. The updatable configuration is now downloaded.
SHAND-3204: Fix crash on Android 7 and 8 for applications using Gson
Description: If an app used Gson (com.google.code.gson) to convert between JSON and Java, and the app was big enough to be split into several classes.dex, there may be a crash on starting the application on an Android 7 or Android 8 device.
The Shielding Tool used a random assignment for classes into classes.dex and thus could not ensure that some classes were required to be packaged with the same classes.dex index.
The ClassLoader class for Android versions 6 and earlier or 9 and later does not have this problem.
Status: This issue has been fixed. With this fix, the Shielding Tool tries now to retain the original classes.dex index when encoding the shielded application.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 5.0.1 (December 2022)
Supported platform versions
- App Shielding version 5.0.1 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11
- Ubuntu Linux 20.04 LTS or 22.04 LTS
- ShieldGradlePlugin version 1.1.2 and later are supported. ShieldGradlePlugin version 2 (Beta) supports Android App Bundles, and newer Android build versions.
The Android Native Development Kit (NDK) r24 stopped support of Jelly Bean (API 16, 17, and 18). The minimum version supported by the NDK for r24 and later is KitKat (API level 19). App Shielding has switched to Android NDK r25.
Android platform updates
The Android minimum supported version is now 4.4 (API level 19).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Fixes and other changes
SHAND-3092: Fix Shielding Tool error on decoding app code
Description: The Shielding Tool failed to decode some applications that were compiled with debug information. For example, if the application used androidx.compose.ui:ui:1.2.0 and compiled the application with debug, App Shielding exited with an error.
Status: This issue has been fixed. The Shielding Tool now decodes the debug information correctly.
SHAND-3155: Fix false positive hooking framework detection
Description: App Shielding version 5.0.0 introduced a better detection for Xposed modules. With this, however, App Shielding classified legitimate apps as if they were using Xposed.
Status: This issue has been fixed.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on new Android versions
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Supported platform versions
- App Shielding version 5.0.0 was successfully tested with Android 13.
- Android 4.4 (API level 19) – Android 13 (API level 33).
-
Shielding Tool:
- Windows 10: 64-bit Java 11
- Ubuntu Linux 18.04 LTS or 20.04 LTS
- ShieldGradlePlugin version 1.1.2 and later are supported. ShieldGradlePlugin version 2 (Beta) supports Android App Bundles, and newer Android build versions.
The Android Native Development Kit (NDK) r24 stopped support of Jelly Bean (API 16, 17, and 18). The minimum version supported by the NDK for r24 and later is KitKat (API level 19). App Shielding has switched to Android NDK r25.
Android platform updates
The Android minimum supported version is now 4.4 (API level 19).
As of July 1, 2022, App Shielding for Android version 4.2.0.39971 and earlier are no longer supported. For more information, refer to the OneSpan Customer Portal.
Fixes and other changes
Changes in configuration options
Description: The following configuration options are deprecated and have been removed:
-
exitOnEmulatorURL
There was no guarantee that this URL was triggered even though the application may have been running in an emulator. It was recommended to not use this option.
-
exitOnRepackagingURL
There was no guarantee that this URL was triggered even though the application may have been repackaged. It was recommended to not use this option.
The default value for exitOnRooting has been changed to false. If you want to exit the application upon detection of a rooted device, you must explicitly set this value to true.
Known limitations
The limitations described here have not yet been solved for the current Mobile Application Shielding version. Possible workarounds are described where available.
Android App Bundles
The OneSpan Customer Portal support for Android App Bundles does not yet include instant-enabled app bundles.
Detection of root hiding tool on Android 9 and later
Due to the nature of root hiding tools and the increasing restrictions Android imposes on applications as of Android 9, OneSpan Mobile Application Shielding may not be able to reliably detect a rooted device that uses root hiding tools.
Version 4.3.12 (August 2022)
Supported platform versions
- App Shielding version 4.3.12 was successfully tested with Android 13 beta 4.
-
Android 4.1 (API level 16) – Android 12 (API 31).
The Android Native Development Kit (NDK) r24 stopped support of Jelly Bean (API 16, 17, and 18). The minimum version supported by the NDK for r24 and later is KitKat (API level 19). App Shielding has switched to Android NDK r25.
-
Shielding Tool:
- Windows 10: 64-bit Java 11
- Ubuntu Linux 18.04 LTS or 20.04 LTS
- ShieldGradlePlugin version 1.1.2 and later are supported. ShieldGradlePlugin version 2 (Beta) supports Android App Bundles, and newer Android build versions.
Android platform updates
App Shielding version 4.3.12 was successfully tested with Android 13 beta 4.
New features and enhancements
Flutter Webview Support
A new parameter for Flutter Webview Support has been added. Flutter applications that use Webview must turn ON this new parameter and turn OFF the parameter for Block Screenshots.