Automatic configuration update
App Shielding also offers the Automatic Configuration Update feature. This feature allows the deployment of a new App Shielding configuration to be integrated into existing apps without the need for those apps to be redeployed through the usual distribution channels such as App Store or Google Play.
The updated configuration can be enabled optionally, and App Shielding attempts to provide easy building blocks for deploying these configurations on a regular web-server without the need to develop complicated server-side logic, but with enough functionality so this can be done if needed.
When App Shielding is integrated into the app, an initial configuration will be bundled with the app, inside the APK (Android)/IPA (iOS). This initial configuration cannot be changed, and will be the default configuration unless a newer configuration is downloaded to the system.
Key concepts
The updatable configuration is an optional feature that needs to be enabled by the app owner during initial configuration. To use the updatable configuration, the app owner must configure an HTTPS address where App Shielding may fetch configuration updates in the future. This address must be included in the initial configuration in the app upon publication through the various app distribution channels.
The updated configuration is created exactly like the initial configuration, using the same configuration. This configuration is generated using the OneSpan Customer Portal or OneSpan Mobile Portal. Each version of App Shielding contains a unique signature key, which is used to verify any downloaded configuration data before use. This means that a specific configuration update is specific to the version of App Shielding that was used in the specific apps that are targeted.
If multiple versions of the app are expected to coexist with multiple versions of App Shielding, the app owner must ensure that the specific App Shielding versions receive the corresponding version of the updated configuration, for example by using a unique URL. Any mismatch, connectivity error, or verification failure will cause App Shielding to not using the downloaded configuration and silently fall back to using the existing configuration.
-
New devices or OS versions cause problems
New Apple devices sometimes behave slightly different than previous versions and cause App Shielding to shut down if a specific feature is enabled. Similarly, a new version of an OS may cause problems with a specific App Shielding version that requires a code change. A solution could be to publish a new configuration with this feature disabled until a permanent solution can be deployed. Any apps shutting down due to the specific feature will cause App Shielding to look for an updated configuration.
-
Updating configuration data
By updating the configuration, you can
- update HTTPS server addresses
- pin certificate information
- allowlist keyboard and screen readers.
-
Too many false positives
The updatable configuration can be used to disable or tweak features that cause too many false positives or problems. Root detection can be problematic in certain areas as it may be a common occurrence. With the updatable configuration, the specific feature can be tweaked to reduce support noise from users.
-
App security on-demand
In some cases it can be desirable to ship apps with a non-strict configuration in combination with monitoring of the apps, the market space, and security trends. If specific threats are detected, the apps can be locked down further for better protection.