Individual Control Reference
This section contains customer-facing reference pages for AppTego controls. Use it when you need details about a specific control after reviewing the higher-level Security Controls guides.
How To Read Control Pages
Each control page should answer these questions:
| Question | What to look for |
|---|---|
| What does it protect against? | Summary, threat model, and recommended use cases. |
| Where does it run? | Android, iOS, build-time, runtime, server-side, or hybrid behavior. |
| Who can use it? | Plan availability and required platform version. |
| How do I roll it out? | Portal configuration, rebuild requirements, live configuration support, and testing notes. |
| What can users notice? | App behavior, messages, redirects, blocked actions, and compatibility considerations. |
Detection Controls
Detection controls identify a threat condition and trigger a configured response action such as Log, Message, Redirect, or Terminate.
| Control | Primary platform focus | Use when |
|---|---|---|
| Accessibility Service Detection | Android | Accessibility services could observe or automate sensitive flows. |
| App Cloning Detection | Android | Multiple app instances or cloned environments are a fraud or policy risk. |
| Debuggable Detection | Android, iOS | Runtime debugging or inspection tools may be active in production. |
| Debugger Detection | iOS | Runtime debugger attachment must be detected. |
| Developer Options Detection | Android, iOS | Developer settings indicate a relaxed device security posture. |
| Device Lock Detection | Android, iOS | Users should have a passcode, PIN, pattern, or biometric lock configured. |
| Emulator Detection | Android, iOS | Apps should not run in emulators, simulators, or virtual test environments. |
| Hook Detection | Android | Runtime instrumentation frameworks may be intercepting app behavior. |
| Hooking Detection | iOS | Runtime method interception or injected libraries may be present. |
| Jailbreak Detection | iOS | Jailbroken devices are outside the expected OS security model. |
| Location Spoofing Detection | Android, iOS | Location data is part of fraud prevention, compliance, or access decisions. |
| Memory Tamper Detection | iOS | Runtime memory modification must be detected. |
| Overlay Detection | Android | Tapjacking or overlay attacks could mislead users. |
| Proxy Usage Detection | Android, iOS | Intercepting proxies could observe or alter API traffic. |
| Root Detection | Android | Rooted devices may expose app data or allow runtime modification. |
| Screen Capture Detection | Android, iOS | Screenshot attempts should be detected. |
| Screen Mirroring Detection | Android, iOS | Sensitive screens should not be mirrored to external displays. |
| Screen Recording Detection | Android | Screen recording sessions should be detected. |
| Third-Party Keyboard Detection | Android, iOS | Input methods could capture sensitive text. |
| Time Tampering Detection | Android, iOS | Clock manipulation could affect sessions, trials, licenses, or certificates. |
| Unknown Sources Detection | Android, iOS | Sideloaded or unofficial installation paths are a policy risk. |
| USB Connection Detection | Android | USB debugging or connected-device workflows are not allowed. |
| Virtual App Detection | Android | App sandboxing or parallel-space environments may be used to bypass controls. |
| VPN Detection | Android, iOS | Network routing through VPNs is a security or compliance concern. |
Prevention And Hardening Controls
Prevention controls block, restrict, or harden behavior directly. Most changes require a new protected build.
| Control | Primary platform focus | Use when |
|---|---|---|
| Autofill Suggestion Prevention | Android | Sensitive forms should not expose values through autofill suggestions. |
| Android Backup Prevention | Android | Application backup should be disabled for protected Android builds. |
| iOS Backup Protection | iOS | Protected AppTego-managed files should stay out of backup flows. |
| Clipboard Protection | Android, iOS | Copy and paste could leak secrets, PII, or regulated data. |
| Set Debuggable to False | Android, iOS | Android release builds must not be debuggable and debugger attachment should be blocked where supported. |
| Exported Components Lockdown | Android | Android components should not be callable by other apps unless explicitly allowed. |
| File Sharing Prevention | iOS | Files should stay out of system sharing surfaces. |
| Immutable PendingIntent Enforcement | Android | PendingIntent mutation could be abused by another app. |
| Keyboard Cache Prevention | iOS | Sensitive text should not be stored in keyboard learning caches. |
| Keychain Accessibility Hardening | iOS | Keychain entries should use stricter accessibility classes. |
| Overlay Prevention | Android | Overlay windows should be blocked on sensitive screens. |
| Screen Recording Prevention | iOS | App content should not be captured by screen recording. |
| Screenshot Prevention | iOS | Supported platform capture surfaces should reduce exposed app content. |
| Android Screen Capture Protection | Android | Screenshots, recordings, task switcher previews, and unsafe external display should be blocked. |
| Spotlight And Handoff Suppression | iOS | App data should not appear in Spotlight, Handoff, or related surfaces. |
| Storage Permission Hardening | Android | Internal files and SharedPreferences should not be world-accessible. |
| Storage Encryption | iOS | Supported app-managed local data should use iOS Data Protection. |
| System Sharing Suppression | iOS | System share sheets should not expose sensitive app content. |
| Task Hijacking Prevention | Android | Activity/task spoofing could redirect users into malicious flows. |
| Task Switcher Content Protection | Android, iOS | Recent-app previews should not show sensitive content. |
| WebView Hardening | Android, iOS | Embedded web content needs stricter runtime defaults. |
Integrity And Attestation Controls
Integrity controls help verify that the app, device, or protected configuration is trustworthy.
| Control | Primary platform focus | Use when |
|---|---|---|
| App Tamper Detection | Android, iOS | Modified binaries or altered resources must be detected. |
| Apple App Attest | iOS | The app instance should be attested by Apple services. |
| Enforce App Update | Android, iOS | Users should move to a newer app version before continuing. |
| Enforce Latest Configuration | Android, iOS | Deployed apps should refuse stale required configuration. |
| Google Play Integrity | Android | Device and app integrity should be attested by Google Play. |
Network Protection Controls
Network controls harden transport behavior and reduce exposure to interception or downgrade attacks.
| Control | Primary platform focus | Use when |
|---|---|---|
| Certificate Pinning | Android, iOS | API connections should only trust approved certificate keys. |
| Certificate Transparency | Android | Certificate transparency policy should be enforced for configured domains. |
| Cleartext Traffic Prevention | Android | Plain HTTP should be blocked. |
| TLS 1.3 Only | Android, iOS | All required services support TLS 1.3 and downgrade resistance is required. |
Code Obfuscation Controls
Obfuscation controls make static analysis, reverse engineering, and binary modification harder. They are applied during protected builds.
| Control | Primary platform focus | Use when |
|---|---|---|
| Anti-Disassembly | Android | Static analysis should be made more difficult. |
| Arithmetic Encoding | Android | Simple constants and arithmetic patterns should be harder to analyze. |
| Call Indirection | Android | Direct call relationships should be harder to follow. |
| Control Flow Obfuscation | Android | Execution paths should be harder to reconstruct. |
| Dead Code Injection | Android | Analysis should be slowed with non-functional code paths. |
| Encrypt All Code | Android | Stronger code protection is required for high-risk builds. |
| Encrypt Strings | Android, iOS | Hardcoded strings should not be readable in the binary. |
| Encrypt Unicode Strings | iOS | UTF-16 and wide-string content should not be readable in the binary. |
| Instruction Substitution | Android | Equivalent instruction sequences should reduce recognizable patterns. |
| Prevent All Debug Logs | Android | App-authored debug logs should be removed from protected release builds. |
| Objective-C Selector Indirection | iOS | Objective-C selector references should be harder to map through static analysis. |
| Rename Classes | Android | Class names should not reveal implementation structure. |
| Rename Private Members | Android | Private member and method names should not reveal implementation structure. |
| Strip Bitcode | iOS | Legacy bitcode sections should not ship in protected output. |
| Strip Debug Info | Android | Debug metadata should not be present in release artifacts. |
| Strip Debug Symbols | iOS | Symbol metadata should not aid reverse engineering. |
| Reduce Objective-C Metadata | iOS | Objective-C runtime metadata should reveal less app structure. |
| Reduce Swift Reflection Metadata | iOS | Swift type and field metadata should reveal less app structure. |
Privacy And Telemetry Controls
These controls affect what device context is collected or how often configuration is refreshed. Enable them according to your privacy notice, legal basis, and tenant policy.
| Control | Primary platform focus | Use when |
|---|---|---|
| Configuration Update Frequency | Android, iOS | You need to tune how often deployed apps check for configuration updates. |
| Store Device Information | Android, iOS | Device posture and metadata should be available in AppTego logs. |
| Store IP Address | Android, iOS | IP address collection is required for security analytics or compliance. |
| Store Location Information | Android, iOS | Location context is required and covered by your privacy policy. |
Build Configuration Controls
Build configuration controls change the output artifact AppTego creates.
| Control | Primary platform focus | Use when |
|---|---|---|
| Include Simulator Architectures | iOS | QA or CI needs simulator-compatible protected builds. |
| Include x86 Architectures | Android | QA or CI needs emulator-compatible protected builds. |
Choosing Controls
Start with the category guide that matches your goal, then open the linked control page for rollout notes and related controls.
- Use Detection Controls to monitor risky devices, runtime analysis, capture events, and policy violations.
- Use Prevention Controls to block capture, sharing, backup, debug, WebView, and component exposure paths.
- Use App Integrity for tamper detection, platform attestation, and version or configuration enforcement.
- Use Network Protection for TLS, certificate pinning, certificate transparency, and proxy posture.
- Use Code Obfuscation to make protected binaries harder to inspect, modify, or clone.