freeRASP

In-App protection is a mobile security technology that allows mobile applications to check the security state of the environment they run within, actively counteract attack attempts, and control the integrity of the app. Such technology is also called RASP (Runtime App Self Protection) or App Shielding.

freeRASP is a mobile in-app protection and security monitoring SDK. It aims to cover the main aspects of RASP and application shielding.

:notebook_with_decorative_cover: Table of contents

• Overview
  • Key advantages
  • Features
  • Security Report
• App security monitoring service
  • Data Collection, Processing, and GDPR compliance
• Talsec Commercial Subscriptions
  • Plans comparison
• Community development
• About us
• License

Overview

The freeRASP is a lightweight and easy-to-integrate security library designed to protect apps from potential threats during their runtime. It contains multiple security checks, each aimed to cover a possible attack vector to ensure a high level of application security. Among other options, it is able to detect reverse engineering, repackaging or cloning attempts, and running in an unsafe OS environment. It is freely distributed for all mobile platforms and is also available for Flutter, Capacitor, Cordova and React Native developers.

You can check platform-specific submodules for the installation guide and specific details down below:

• Flutter (pub.dev package)
• Capacitor
• React Native
• Cordova
• Android
• iOS

Key advantages

• Reactions to attacks and detected security threats via an API
• Simple download and install with clear source code snippets
• No significant effect on the app performance
• Weekly security report via email indicating security status of devices and app integrity
• Fulfills OWASP MASVS V8: Resiliency Against Reverse Engineering Requirements

:dart: Features

freeRASP provides protection against potentially dangerous behavior, including the following:

:heavy_check_mark: Using rooted or jailbroken devices (e.g., unc0ver, check1rain)

:heavy_check_mark: Reverse engineering attempts

:heavy_check_mark: Running hooking frameworks (e.g., Frida, Xposed or Shadow)

:heavy_check_mark: Tampering or repackaging the application

:heavy_check_mark: Installing the app through untrusted methods/unofficial stores

Visit our wiki to learn more details about the performed checks and their importance for app security.

Security report

The Security Report is a weekly summary describing the application's security state and characteristics of the devices it runs on in a practical and easy-to-understand way.

The report provides a quick overview of the security incidents, their dynamics, app integrity, and reverse engineering attempts. It contains info about the security of devices, such as OS version or the ratio of devices with screen locks and biometrics. Each visualization also comes with a concise explanation.

:outbox_tray: App security monitoring service

App security monitoring service are shared both for Android and iOS. App security monitoring service (i.e., reports and email alerts) for freeRASP are provided by Talsec free of charge within FUP. Only commercial plans currently support customer managed or inhouse audit/monitoring data collection cloud service. freeRASP SDK sends security diganostics data to Talsec cloud DB. It implies:

• Anonymized data logs are sent to ElasticSearch
• Data are continuously evaluated and ML-classified to detect anomalies
• Each account can set up a Watcher to receive weekly alerts about detected attempts for app modifications

Data Collection, Processing, and GDPR compliance

freeRASP SDK collects anonymized security diagnostics data from the Apps. It includes technical information about the state of security and integrity of Devices and App instances. It includes anonymous app instance and device IDs. This information allows Talsec to implement a PDF security report feature. Data is also used to improve the product and prepare mobile security reports.

Data collection can be disabled or configured to address customers' DB in premium service plans of Talsec (see RASP+)

By April 2022 Google Play requires all app publishers to declare how they collect and handle user data for the apps they publish on Google Play. They should inform users properly of the data collected by the apps and how the data is shared and processed. Therefore, Google will reject the apps which do not comply with the policy.

Apple has a similar approach and data types specification.

Talsec recommends adding the following statements to the Privacy Policy page dedicated to your app. Also, use the text below while filling in the Google Play Safety Section or similar for Apple App Store publishing. Please refer to the guide on compliance checks for the App Store User Data Policy as well.

All the data collected by the freeRASP Talsec Security SDK is considered non user sensitive. Also, there is no technical way to identify the real person by the identifiers collected by freeRASP SDK.

Google Play’s User Data policy indicates that a prominent disclosure should be presented to the users, in case of an app collecting personal or sensitive data.

Though freeRASP collects diagnostical data (anonymous and not user-related ), the App publisher should consider adding a disclosure screen, describing why the security diagnostic data is needed, what data, and how the data is used. Link to best practices and guidelines of Google.

An example of a disclosure screen:

:money_with_wings: Talsec Commercial Subscriptions

Talsec offers commercial plans on top of freeRASP (Business RASP+):

• No limits of Fair Usage Policy (100K App Downloads)
• No Data Collection from your app
• FinTech grade security, features and SLA (see more in this post)
• Protect APIs and risk scoring by AppiCrypt®

Learn more at talsec.app.

Not to overlook, the one of the most valued commercial features is AppiCrypt® - App Integrity Cryptogram.

It allows easy-to-implement API protection and App Integrity verification on the backend to prevent API abuse:

• Bruteforce attacks
• Botnets
• API abuse by App impersonation
• Session-hijacking
• DDoS

It is a unified solution that works across all mobile platforms without dependency on external web services (i.e., without extra latency, an additional point of failure, and maintenance costs).

Learn more about commercial features at talsec.app.

TIP: You can try freeRASP and then upgrade easily to an enterprise service.

Plans Comparison

For further comparison details (and planned features), follow our discussion.

Community Development

Contributions are always welcomed. With new threats arising, protections currently in place need to be continuously updated. You can start contributing in many different ways:

• Filing or reporting issues
• Working on one of the existing issues
• Browsing existing code and manuals and proofreading it

Support and maintenance are in the hands of the community. Feel free to open new issues and ask questions.

About Us

Talsec is an academic-based and community-driven mobile security company. We deliver in-App Protection and a User Safety suite for Fintechs. We aim to bridge the gaps between the user's perception of app safety and the strong security requirements of the financial industry.

Talsec offers a wide range of security solutions, such as App and API protection SDK, Penetration testing, monitoring services, and the User Safety suite. You can check out offered products at our web.

License

This project is provided as freemium software i.e. there is a fair usage policy that impose some limitations on the free usage. The SDK software consists of opensource and binary part which is property of Talsec. The opensource part is licensed under the MIT License - see the LICENSE file for details.