If App Shielding is shut down due to configuration setting, a web browser can be launched with a preconfigured URL that may explain the problem to the user. If no URL is configured, then the web browser is not invoked.
This URL can be configured so that App Shielding substitutes certain variables of the URL to provide information directly inside the URL.
Some features of exit URL launching have been deprecated and removed:
- Exit URL on emulator detection
- Exit URL on repackaging detection
The following variable substitutions are provided.
| Placeholder |
|
Substitution |
|---|---|---|
| %REASON% |
|
The reason of the shutdown in decimal. |
| %MANUFACTURER% |
|
The device manufacturer. |
| %MODEL% |
|
The device model name. |
| %ANDROID% |
|
The Android API level of the device (on Android devices). |
| %iOS% |
|
The iOS API level of the device (on iOS devices). |
| %VERSION% |
|
The App Shielding version. |
| %ROOT% | exitOnRooting | A 4-byte hex value that gives more information about the rooting detected by App Shielding. The first two bytes are the boolean rooting detection value and the heuristics detection value. These values are somewhat obfuscated to make it harder for attackers to use them when trying to circumvent App Shielding. To recover the boolean detection value, subtract 0x3F from the first byte (note that you have to work on 8-bit unsigned integers). To recover the heuristics value, xor the second byte with the first byte and then subtract 0xEA (again, using 8-bit unsigned integers). The last two bytes provide more information about how the rooting was detected. Please supply this value to OneSpan to help diagnosing a problem. |
| %KEYBOARD% | exitOnUntrustedKeyboard | The package name of the untrusted keyboard. |
| %KEYBOARDNAME% | exitOnUntrustedKeyboard | The name of the untrusted keyboard. |
| %KEYBOARDVERSION% | exitOnUntrustedKeyboard | The version of the untrusted keyboard. |
| %KEYBOARDSIGNER% | exitOnUntrustedKeyboard | The subject of the signing certificate used to sign the untrusted keyboard. |
| %SCREENREADER% | exitOnUntrustedScreenreaders | The package name of the untrusted screen reader. |
| %SCREENREADERNAME% | exitOnUntrustedScreenreaders | The name of the untrusted screen reader. |
| %SCREENREADERVERSION% | exitOnUntrustedScreenreaders | The version of the untrusted screen reader. |
| %SCREENREADERSIGNER% | exitOnUntrustedScreenreaders | The subject of the signing certificate used to sign the untrusted screen reader. |
| %VIRTUALSPACEAPP% | exitOnAppInVirtualSpaceURL | The package name of the untrusted virtual space app. |
| %VIRTUALSPACEAPPNAME% | exitOnAppInVirtualSpaceURL | The name of the untrusted virtual space app. |
| %VIRTUALSPACEAPPVERSION% | exitOnAppInVirtualSpaceURL | The version of the untrusted virtual space app. |
| %HOOKINGFRAMEWORKS% | exitOnHookingFrameworks | A 1-byte hex value that provides information about how the hooking framework was detected. Please supply this value to OneSpan to help diagnosing a problem. |
Pitfalls of Exit URL
The Exit URLs are primarily designed to provide useful feedback to the end-user on why the application stopped working, rather than providing a reliable reporting mechanism for the app owner.
The Exit URL will be loaded in the device main browser, and could end up as a lingering browser tab/window until the user closes it. This can cause the browser to trigger additional page loads of the configured URL when the user activates the browser at a later point, flips through the various tabs/windows, or uses the back-button to revisit this page. This behavior can lead to misleading statistics, if you track page views on your server.
Furthermore, App Shielding cannot guarantee that the URL is ever loaded. For example, the user’s device could be in flight mode and would not have a connection to load the URL in the browser. Thus, you should not rely on this feature as a way to collect data on security issues.
If App Shielding is shut down due to configuration setting, a web browser can be launched with a preconfigured URL that may explain the problem to the user. If no URL is configured, then the web browser is not invoked.
This URL can be configured so that App Shielding substitutes certain variables of the URL to provide information directly inside the URL.
Some features of exit URL launching have been deprecated and removed:
- Exit URL on emulator detection
- Exit URL on repackaging detection
The following variable substitutions are provided.
| Placeholder |
|
Substitution |
|---|---|---|
| %REASON% | All | The reason of the shutdown in decimal. |
| %MANUFACTURER% | All | The device manufacturer. |
| %MODEL% | All | The device model name. |
| %IOS% | All | The iOS version of the device. |
| %VERSION% | All | The App Shielding version. |
| %JAILBREAK% | exitOnJailbreak | A 1-byte hex value providing more detailed information about the jailbreak detected by App Shielding. Please supply this value to technical support to diagnose any problems with jailbreak detection. |
Pitfalls of Exit URL
The Exit URLs are primarily designed to provide useful feedback to the end-user on why the application stopped working, rather than providing a reliable reporting mechanism for the app owner.
The Exit URL will be loaded in the device main browser, and could end up as a lingering browser tab/window until the user closes it. This can cause the browser to trigger additional page loads of the configured URL when the user activates the browser at a later point, flips through the various tabs/windows, or uses the back-button to revisit this page. This behavior can lead to misleading statistics, if you track page views on your server.
Furthermore, App Shielding cannot guarantee that the URL is ever loaded. For example, the user’s device could be in flight mode and would not have a connection to load the URL in the browser. Thus, you should not rely on this feature as a way to collect data on security issues.