The package is susceptible to smali changes.

[reyesmfabian]

It is possible to bypass detection by making a modification to Android smali files, which allows bypassing all protection.

EXPECTED RESULT

Using a locally generated APK in release mode with a valid certificate different from the official store:

As you can see the detection is performed correctly and the controls are applied.

NOT EXPECTED RESULT

It is possible to modify the smali code of the Android version by changing the strings and thus circumvent all the controls.

As you can notice when repacking the application with these changes the controls are not effective.

Is there any solution for this behavior?

Please complete the following information:

• Device: Xiaomi Redmi 11
• OS version: Android 12
• Version of freeRASP: 6.0.2

[xprikryl2]

Hi @reyesmfabian,

This behavior is intentional and by design of freeRASP. The Commercial Version of Talsec RASP+AppiCrypt SDK has solutions to address these issues in its design.

These are:

• Configurable app-kill within SDK, implemented at the low level of SDK.
• AppiCrypt. Cryptografical proof of RASP+ functioning and zero-trust concept. This is the RASP-based cryptogram that is delivered to the Backend as an HTTP header parameter and verified by the backend to prevent calls from compromised clients.

The freeRASP provides a simple public interface that notifies the developers about detected threats without any need to be dependent on 3rd party services, and as you've highlighted above, there are some limitations to this approach. In general, hardcoded security measures (like in whatever RASP) can always be disabled or bypassed if the reverse engineer has enough time to understand the code. We are aware of this intrinsic limitation. Nevertheless, we partially mitigate it by forcing obfuscation techniques on our clients that prevent the usage of automated scripts.

In the context of RASP, for security measures to be truly effective, they need to be integrated tightly into the application's architecture. It's best practice to move the security evaluation to the server side (attestation). But this approach comes with a far more complicated integration process that can also differ for various technology stacks and platforms. If you are interested in this more secure approach, please contact us with a Demo or meeting request, and we can further elaborate on your case.

Security is an ongoing process, and we are committed to improving our product's security features. We appreciate your input and encourage further discussion on these topics. Please feel free to share any additional insights, suggestions, or concerns.

Best regards, Talsec Team

[reyesmfabian]

Thank you very much for your answer, do you think something can be done for the freeRasp version in this regard? As indicated in the evidence it is extremely easy for a person with half knowledge to perform a complete bypass of the entire security solution, therefore, really this add-on would not be very useful. It occurs to me for example to try to obfuscate those variables in some way, or not to depend on a simple string for the correct detection of the whole solution.

Nice to greet you

[JoshiJoshiJoshi]

Hi @reyesmfabian,

This behavior is intentional and by design of freeRASP. The Commercial Version of Talsec RASP+AppiCrypt SDK has solutions to address these issues in its design.

These are:

• Configurable app-kill within SDK, implemented at the low level of SDK.
• AppiCrypt. Cryptografical proof of RASP+ functioning and zero-trust concept. This is the RASP-based cryptogram that is delivered to the Backend as an HTTP header parameter and verified by the backend to prevent calls from compromised clients.

The freeRASP provides a simple public interface that notifies the developers about detected threats without any need to be dependent on 3rd party services, and as you've highlighted above, there are some limitations to this approach. In general, hardcoded security measures (like in whatever RASP) can always be disabled or bypassed if the reverse engineer has enough time to understand the code. We are aware of this intrinsic limitation. Nevertheless, we partially mitigate it by forcing obfuscation techniques on our clients that prevent the usage of automated scripts.

In the context of RASP, for security measures to be truly effective, they need to be integrated tightly into the application's architecture. It's best practice to move the security evaluation to the server side (attestation). But this approach comes with a far more complicated integration process that can also differ for various technology stacks and platforms. If you are interested in this more secure approach, please contact us with a Demo or meeting request, and we can further elaborate on your case.

Security is an ongoing process, and we are committed to improving our product's security features. We appreciate your input and encourage further discussion on these topics. Please feel free to share any additional insights, suggestions, or concerns.

Best regards, Talsec Team

Can you provide an APK using your commercial version to prove your claims? Every security issue that has been reported so far has been responded back that the commercial version is not affected by it.

[talsec-app]

Hello @JoshiJoshiJoshi,

We acknowledge @reyesmfabian 's work and others who have conducted their own investigations into the internals, and we are actively researching ways to improve in this area as well. Uploading the commercial APK here is not our preferred option. As mentioned in the previous response, we can schedule a session to showcase our commercial solutions. Please book a time slot on the calendar.

Kind regards, Talsec Team

[syakymchuk]

Can you provide an APK using your commercial version to prove your claims? Every security issue that has been reported so far has been responded back that the commercial version is not affected by it.

Hi @JoshiJoshiJoshi, would you mind contacting me directly we will give you the APK. But I want to contact you to explain how we protect the Mobile Solution with the help of AppiCrypt and other features that rely partially on the backend part to link the App logic and integrity with backend-based features.

Link for contact here or on the https://talsec.app

[SirionRazzer]

freeRASP v6.4.0 improves reaction obfuscation making the life of an attacker harder. New reaction obfuscation should address the described type of attacks adequately.