Security Controls
AppTego controls are organized by the kind of risk they reduce: runtime detection, active prevention, app integrity, network protection, code obfuscation, privacy telemetry, and build configuration.
Use this section to choose a protection posture before you edit individual controls. A strong rollout starts with the outcome you want, then selects the smallest effective set of controls, validates behavior, and promotes only after protected-app testing.
Plan names in these guides show the minimum tier where a control starts. Enterprise tenants include Team controls unless an individual control page says otherwise.
Start Here
| Guide | Use it to... |
|---|---|
| Security Controls Overview | Understand categories, response actions, platform guidance, and rollout strategy. |
| Detection Controls | Choose detections for device posture, runtime analysis, screen capture, network, and app integrity signals. |
| Prevention Controls | Choose active protections for screens, input, storage, backup, runtime, components, and transport. |
| App Integrity | Plan tamper checks, app update enforcement, Play Integrity, App Attest, and release-control policy. |
| Network Protection | Plan certificate pinning, certificate transparency, TLS policy, cleartext blocking, and proxy detection. |
| Certificate Pinning | Design domain pinning, backup pins, rotation, and failure behavior. |
| Code Obfuscation | Select binary hardening options for Android and iOS builds. |
| Privacy And Telemetry | Decide what device, IP, location, and configuration-refresh data should be collected. |
| Build Configuration | Choose simulator, emulator, and architecture support for protected artifacts. |
| Individual Control Reference | Look up customer-facing details for a specific control. |
Recommended Rollout Pattern
- Start with detection controls in Log mode to measure real-world device posture.
- Validate false-positive behavior on QA and internal pilot devices.
- Move critical threats to Message, Redirect, or Terminate responses only after testing.
- Add prevention controls for sensitive screens, data entry, local storage, and network transport.
- Enable obfuscation and integrity checks for release builds.
- Review dashboard and device logs after each production rollout.
Common Starting Points
| App profile | Sensible first posture |
|---|---|
| General consumer app | Start with core detections in Log mode, screen/privacy prevention where needed, and basic release validation. |
| Financial, healthcare, identity, or regulated app | Add app integrity, stronger runtime detections, screen protections, network protection, obfuscation, and clear user messaging. |
| Enterprise-managed app | Align device posture detections, VPN/proxy policy, device lock, SSO, and support messaging with your device management policy. |
| Fraud-sensitive app | Add app cloning, virtual environment, location/time posture, emulator, unknown sources, and integrity controls before strict enforcement. |
| Internal QA or CI build | Enable emulator or simulator architecture support only where testing requires it, then validate final release behavior on physical devices. |
Control Configuration Vocabulary
| Term | Meaning |
|---|---|
| Detection | A control that observes a threat condition and triggers a response action. |
| Prevention | A control that blocks or hardens a behavior without a separate response action. |
| Integrity | A control that verifies the app, device attestation result, or protected binary state. |
| Build-time | Protection applied while AppTego processes the app binary. |
| Runtime | Protection that executes on the end user's device. |
| Live configuration | Supported Enterprise settings that can be updated without rebuilding when the app was prepared for live updates before release. |
| Minimum plan | The lowest public plan tier that can use the control; higher tiers include it unless the control page says otherwise. |