DexProtector’s code hardening techniques like encryption and obfuscation are applicable to web-based hybrid apps and are vital in stopping decompiling and modifying. The same is true of the RASP checks DexProtector employs to detect jailbroken devices, emulators, and hooking frameworks like Frida. These can all be used at runtime to carry out a dynamic analysis, but if DexProtector detects one of them in your app’s environment, it won’t allow the app to start.
Network interception is a big risk for web based apps as they use WebView which doesn’t help with certificate validation. The expectation is that certificate validation be done manually, but it’s not an easy task to undertake.
DexProtector uses a combination of SSL Pinning and Certificate Transparency to make sure requests sent from your app only arrive at your pre-determined, genuine server. In this way it helps to stop man in the middle attacks.
Supply chain attacks
Web based hybrid apps use NPM packages as their dependencies. They are very easy to publish, however, which means there’s a risk that bad actors could publish malicious packages there. These seemingly harmless libraries could then get picked up to speed up the development process.
With AppCare (a feature within DexProtector Studio) you can scan your application for existing, known vulnerabilities in libraries and dependencies. It’s a great way to make sure that there’s no malicious code within your app that could lead to vulnerabilities further down the line.