Glossary
Mobile Application Security Glossary.
Welcome to our practical glossary of key mobile app security terms. These are our definitions of threats like reverse engineering and eKYC fraud, and protection mechanisms like RASP and Mobile API Protection. Designed for developers, security teams, and compliance professionals.
Anti-Malware
A protective layer that scans the device for the presence of known malware, spyware, and Potentially Unwanted Applications (PUAs) like auto-clickers, screen recorders, and virtual camera apps. It can use signature-based detection, heuristic analysis, and behavioral monitoring to identify threats on the device that could interfere with the protected application.
Binary Modification and Patching
A specific form of static tampering where an attacker directly alters the executable code or library files within the application package on disk. This is often done to permanently disable security controls, unlock features, or inject malicious startup logic.
Code and Resource Encryption
The process of transforming an application's executable code (e.g., DEX files) and resources into encrypted ciphertext. At runtime, a secure, protected loader mechanism is responsible for decrypting and loading this content into memory. The security of this protection is entirely dependent on the robustness of the runtime decryption logic and key protection.
Device Attestation
Device Attestation detects when emulators are being used, when a device has root privilege (or has been jailbroken), and when it is running custom firmware. Device attestation mechanisms such as root and emulator detection may also sometimes be categorised as RASP mechanisms.
Device Binding
The process of cryptographically linking a user's account or session to a specific, verified instance of the application on a particular device. This makes sure that stolen session tokens or credentials cannot be easily used on a different device, making account takeovers significantly more difficult.
Device Intelligence
The practice of fingerprinting a device and its environment to create a unique identifier and risk profile. It goes beyond attestation by collecting hundreds of data points (OS version, network details, hardware identifiers, installed apps, and more) to detect anomalies, identify emulators, and assess the risk associated with a particular device session.
Dynamic Analysis
The analysis of an application's behavior while it is executing. This is typically performed in a controlled environment (like an emulator or an instrumented device) to observe runtime data, network traffic, and API calls, often to discover vulnerabilities that are not apparent statically (DAST).
Dynamic Binary Instrumentation
A technique for analyzing the behavior of a compiled application by injecting code into it as it runs. This allows for monitoring and modification of the application's execution flow at the instruction level. The most popular DBI framework for mobile is Frida.
eKYC Fraud
Bad actors can circumvent the ID verification process using virtual camera apps and AI. This allows them to open accounts fraudulently and take out loans or apply for credit. Dealing with the fallout of eKYC fraud costs banks large quantities of time and money.
Emulation and Virtualization
The use of software to create an environment where a mobile app can run outside of a physical device. Emulators mimic the hardware architecture (e.g., running an ARM-based Android OS on an x86 computer). On-device virtualization apps create a contained, separate OS environment on the phone itself. Attackers use both to gain deep control, bypass hardware-based security, and automate attacks.
Fraud via Banking Trojans
Advanced malware that specifically targets financial applications. Modern trojans can abuse Accessibility Services to perform Automated Transfer Systems (ATS), intercept 2FA codes from SMS or notifications, log keystrokes, and use overlays to steal credentials.
Hooking
A runtime technique used to intercept and alter function calls, method executions, or system API calls within a running application. It's a core component of dynamic instrumentation frameworks like Frida or Xposed, enabling attackers to monitor and manipulate app behavior in real-time.
Interference from Auto Clicker Applications
Software that automates user input events like taps, swipes, and text entry, often by abusing Accessibility Services. This enables attackers to script fraudulent actions at scale, such as bulk transaction creation or ad fraud, without human interaction.
Interference from Virtual Camera Apps
The use of software tools to substitute a live camera feed with a pre-recorded video or a manipulated image. This is a common attack vector for bypassing liveness detection and other identity verification (eKYC) processes that rely on camera input.
Man-in-the-Middle (MitM) Attacks
An attack where a bad actor intercepts and potentially alters communication between the mobile app and its backend server. This is commonly executed by persuading the device to trust an attacker-controlled Certificate Authority (CA), allowing for the decryption of TLS/SSL traffic, or by exploiting misconfigurations in the app's network security.
Mobile API Protection
A security control, also known as Client Attestation, that ensures API requests are coming only from a trusted, unmodified instance of the mobile app. It works by having the app generate a cryptographic proof-of-integrity (a signature or token) for each API request, which the backend server validates. This blocks bots, scripts, and tampered clients from abusing the API.
Obfuscation
A set of transformations applied to an application's code and metadata (class/method/field names, strings) to make it computationally difficult and time-consuming for a human to reverse-engineer. Obfuscation is a deterrent that raises the cost and complexity of static analysis, but does not alter the app's logic.
Overlay Attacks and Fake Interfaces
An attack where a malicious app draws a fake window on top of a legitimate app's UI to capture user input. This technique, also known as tapjacking, is used to steal credentials, authorize fraudulent transactions, or capture other sensitive information.
Reverse Engineering
The comprehensive process of deconstructing and analyzing a compiled application to understand its internal logic, architecture, algorithms, and data flows. It encompasses both static analysis (like decompilation) and dynamic analysis (like runtime instrumentation).
Rooted and Jailbroken Devices
Devices where the user has gained administrative (root) access, thereby disabling the core operating system's security model, including the application sandbox. This allows the user and any malicious apps to bypass system-wide restrictions, access other applications' data, and load powerful instrumentation frameworks required for hooking and tampering.
Runtime Application Self Protection (RASP)
A security technology that enables an application to detect and actively respond to attacks in real-time. It monitors for signs of dynamic analysis and tampering—such as attached debuggers, active instrumentation frameworks (Frida), or hooking attempts, and can trigger responses like terminating the session, alerting a server, or shutting down the app.
Runtime Integrity Checks
A security mechanism where the application, at runtime, verifies that its own code and resources have not been modified. This is typically done by comparing the checksums or cryptographic signatures of its files on disk against known-good values embedded within the app.
DexProtector takes it even further, applying proprietary techniques to achieve the highest possible levels of integrity control that have highest levels of resistance to static and dynamic interference.
Screen Capture
The programmatic capture of the device's screen content. This can be performed by malicious applications (often abusing Accessibility or MediaProjection APIs) to steal sensitive information displayed on the UI, such as credentials, balances, or one-time passwords.
Secure Storage
The practice of storing sensitive data (keys, tokens, user data) within an encrypted, tamper-resistant container inside the application's private storage. This goes beyond simple file encryption and often leverages platform hardware (like the Android Keystore or iOS Secure Enclave) or white-box techniques to protect the storage encryption keys themselves.
Software-Protected Cryptography
A broad term for protecting cryptographic operations and keys in software when hardware protection is unavailable or insufficient. It is an umbrella category that includes techniques like white-box cryptography, obfuscation, and anti-debugging applied specifically to the cryptographic logic to make tracing the code and extracting secrets computationally infeasible.
Threat Intelligence
A system that collects, aggregates, and correlates security event data from a large population of instances of a protected application. This collective intelligence allows for the proactive identification of emerging threats, new malware variants, attack infrastructure, and fraudulent activity patterns that would be invisible from the perspective of a single device.
Unauthorized API Clients
Any API request made to a mobile application's backend that does not originate from a genuine, untampered instance of the official mobile app. This includes bots, scripts, custom tools, outdated app versions, and repackaged apps, all of which attempt to interact directly with the API to exploit business logic or steal data.
Virtualization (On-Device)
A technique where a fully-fledged, secondary operating system runs inside an application on the host device. These environments (e.g., VirtualXposed, F1VM) are often pre-rooted and come with instrumentation tools, allowing attackers to bypass system-level restrictions and analyze apps in a controlled, hostile environment without needing to root the physical device.
Virtualization (Protection)
An advanced code protection technique that transforms an application's original bytecode into a new, proprietary instruction set for a custom virtual machine (VM). The protected application then includes a VM interpreter to execute this virtualized code at runtime. This renders standard decompilers useless and forces an attacker to reverse-engineer the entire custom VM architecture, which is a significantly more complex task.
vTEE
A software-based implementation of a Trusted Execution Environment (TEE) that creates a secure, isolated container within the application's own memory space. It is cryptographically sealed from the host OS and other apps, providing a safe environment for executing sensitive operations and storing secrets, even on an untrusted or compromised device.
White-Box Cryptography
A set of techniques for implementing cryptographic algorithms in a way that embeds the cryptographic key directly within the algorithm's implementation. This code is heavily obfuscated and designed to remain secure even if an attacker has full visibility and control over the execution environment (the "white-box" attack model).