If an adversay detects talsec usage in an app, can this be a problem ?

[davepaiva]

in the screenshot above you can see that com.aheadtic.talsec_security.security is visible in the source code section of the JadX tool to statically analyse a apk, however the classes seem to be obfsucated.

Now since talsac free Rasp for react native is open source, could an adversary use the open source nature of this library to find a way to by pass this libs checks ?

[tompsota]

Hello @davepaiva,

freeRASP for React Native consists of two native SDKs (for iOS and Android), and a js layer exposing its APIs to React Native. The js layer is opensource. However, it's the SDKs that are responsible for threat detection - this part is not opensource and is well obfuscated - therefore it's not possible to inspect the source codes and bypass freeRASP based on what we don't detect, for example.

However as you mentioned, there are still some opensource parts. We are aware of this, and in fact, it is the major disadvantage of the freemium version. If the attacker/pen. testing team is trying to focus on the protection itself (freeRASP library); after some time, they will find the single point of failure -> the notification threat listener (hooks, debug, appIntegrity, ...), which they can potentially bypass. However, this doesn't mean that using freeRASP is pointless. Our goal is that freeRASP can withstand various types of automated attacks. For example, if you used only some tool to resign the APK (without the additional analysis and modification of the app), our library should detect it. The same applies to the predefined Frida scripts that are publicly available, and they should be detected.

If you require a more robust solution to protect your application, we offer Business RASP+, which does not rely on the "public" threat listener, but contains advanced mechanisms how to keep the app safe. The advantages/limitations of Business vs freeRASP plans are outlined here.

Regards,
Tomas from Talsec

[davepaiva]

thanks for the clarification