Event types description

[lcuis]

Hi,

When we installed our first free_rasp enabled app from the Apple App Store on an iPhone 7, the app would show a "Device ID" RASP event.
Is this expected?

We also noticed that there was a "Passcode" RASP event during what we presume to be the Apple tests. Is this also expected?

Is there a document explaining the various events so that we can understand their severity and relevance?

[lcuis]

Also, the same app got the "Tamper" RASP event while installed on our Android devices from the Google Play Store.

[lcuis]

During their tests of the Android release, the Google Play store apparently got the "Untrusted installation" RASP event.

[talsec-app]

Hello,

• The deviceID event is expected. When an application is reinstalled, the identifierForVendor changes (if other application from the same vendor using freeRASP is not installed). We do not recommend terminating reactions to this event (and also for device binding event)

• In regards to passcode events: Apple tests may use devices without passcode turned on, therefore the event happens. It is expected.

• However, in terms of Android tampering, we can see multiple appIntegrity (tamper) incidents in Kibana. All of them are cases when the application was signed using debug signing keys (C=US,O=Android,CN=Android Debug). It could be caused by using debug signing config in your release build type. If you want more detailed information about these incidents, please contact us at info@talsec.app.

• There is a possibility of "Untrusted Installation Source" events during the Google app verification process.

We will update the documentation explaining the various events so that the severity and their relevance is properly explained. Thank you for your feedback.

[lcuis]

Thank you very much for those explanations.