If an application has to shut down (either because it is terminating unexpectedly, or it detected a security problem), the application can exit and log a proper stack trace, or open the browser with a predefined URL.

If the application is installed via Google Play, the user will be prompted to report the problem, and it will appear in the Google Play Console. Otherwise, the shutdown reason is accessible via logcat.

A shutdown reason that points back to App Shielding will be a subclass of ShieldException with a hex-coded string message for additional encoded information.

The stack trace will have distinct exception classes depending on the reason for the shutdown. By default, the stack trace will contain obfuscated class names. These can be de-obfuscated using the ProGuard retrace tool with the mappings.txt file as produced during shielding. This mapping file can also be uploaded to Google Play for it to automatically decode stack traces in the Google Play Console.

To deobfuscate a crash report

  • Use the following command:

    retrace.bat | retrace.sh [-verbose] <mappingFile> <crashReport>

    where:

    • mappingFile is the path to the mapping.txt file.

    • crashReport is the path to the crash report to deobfuscate.

An example of an obfuscated crash report with stack trace may look like this:

2021-07-01 12:35:01.011 28406-28406/? E/Report: Exiting:
  eevgom.d: 01
    at eevgom.v.a(Unknown Source:164)
    at eevgom.v.b(Unknown Source:0)
    at java.lang.Runtime.nativeLoad(Native Method)
    at java.lang.Runtime.nativeLoad(Runtime.java:1131)
    at java.lang.Runtime.loadLibrary0(Runtime.java:1085)
    at java.lang.Runtime.loadLibrary0(Runtime.java:1008)
    at java.lang.System.loadLibrary(System.java:1664)
    at eevgom.k.c(Unknown Source:8)
    at eevgom.u.a(Unknown Source:13)
    at eevgom.u.c(Unknown Source:24)
    at eevgom.u.b(Unknown Source:6)
    at eevgom.u.<clinit>(Unknown Source:0)
    at eevgom.u.b(Unknown Source:0)

After deobfuscating, the crash report may look like this:

2021-07-01 12:35:01.011 28406-28406/? E/Report: Exiting:
  no.promon.shield.ex.RepackagingException: 01
    at no.promon.shield.Report.java.lang.Thread$UncaughtExceptionHandler access$002(java.lang.Thread$UncaughtExceptionHandler)(Unknown Source:164)
    no.promon.shield.ex.ShieldException getException(java.lang.String)
      java.lang.String readFromPipe()
    at no.promon.shield.Report.int access$100()(Unknown Source:0)
      void report(java.lang.String)
    at java.lang.Runtime.nativeLoad(Native Method)
    at java.lang.Runtime.nativeLoad(Runtime.java:1131)
    at java.lang.Runtime.loadLibrary0(Runtime.java:1085)
    at java.lang.Runtime.loadLibrary0(Runtime.java:1008)
    at java.lang.System.loadLibrary(System.java:1664)
    at no.promon.shield.LibStarter.void process()(Unknown Source:8)
    at no.promon.shield.LibStarter.void doPhase1()(Unknown Source:13)
      void doPhase2(no.promon.shield.AppMonitor)
      boolean isRunningOnIsolatedProcess(android.app.Application)
    at no.promon.shield.LibStarter.void startLibshieldWithContext(no.promon.shield.AppMonitor)(Unknown Source:24)
    at no.promon.shield.LibStarter.void startLibshieldFromAppMonitor(no.promon.shield.AppMonitor)(Unknown Source:6)
      void startLibshieldFromClinit()
    at no.promon.shield.LibStarter.<clinit>(Unknown Source:0)
    at no.promon.shield.LibStarter.void startLibshieldFromAppMonitor(no.promon.shield.AppMonitor)(Unknown Source:0)
      void startLibshieldFromClinit()

The message part of this example stack trace points to 01, which indicates repackaging detection, and this is consistent with RepackagingException. Other shutdown reasons will use different exception classes and message encoding. The first two characters of the message refer to the shutdown reason. See the table below for a description of these reasons. The hex characters indicate the reason why App Shielding has shut down the app.

If the error message contains more than two characters, App Shielding has terminated unexpectedly. For further analysis, forward the error message to OneSpanTechnical Support: [email protected].

Error codes for Android
Code Description
00 Policy violation: Device is rooted.
01 Policy violation: Application is modified or repackaged.
02 Policy violation: Application is being run in an emulator.
03 Policy violation: Java debugger attached to app.
04 Policy violation: Untrusted keyboard found.
05 Policy violation: Untrusted screen reader found.
06 Policy violation: Native code hooks, possibly inserted by malicious app.
07 Internal
08 App Shielding could not read configuration file.
09-14 Internal
15 Application terminated unexpectedly outside of Java code, either native library or App Shielding.
16 Policy violation: Hooking frameworks detected.
17 Native debugger prevention not possible on this device.
1a Developer Options enabled on device.
1b Untrusted Installer found on device.
1c Android Developer Bridge active on device.
1d Application is launched via Virtual Space application.
1f Emulated input detected.

App Shielding can be configured to not create such stack traces by enabling the shutdownImmediately configuration option. However, we do not recommend this, since it limits the ability to diagnose problems.

If an application has to shut down (because it is either terminating unexpectedly or it has detected a security problem), the application can exit and open the browser with a given URL.

For further analysis, please forward the error message to us by contacting [email protected].