Prevention Controls Reference
Prevention controls actively block, restrict, or harden risky behavior. Unlike detection controls, they usually do not trigger response actions. They are configured as security settings and take effect in protected builds.
For the full per-control inventory, see the Individual Control Reference.
Prevention controls can change what users and testers experience directly. Validate them in context: the right setting for a payment screen may not be appropriate for every screen in a consumer app.
How Prevention Controls Work
| Characteristic | Behavior |
|---|---|
| Configuration | Usually enabled or disabled in the portal or API. |
| Timing | Most changes apply to the next protected build. |
| User experience | Often silent. Users may see blocked behavior rather than an alert. |
| Logging | Detection controls provide event logging; prevention controls focus on enforcement. |
| Best practice | Test in Development or Staging before promoting to Production. |
Screen And Display Protection
| Control | Platforms | Minimum plan | What it does |
|---|---|---|---|
| Screenshot Prevention | iOS | Team | Reduces screenshot and supported capture exposure on iOS. |
| Screen Recording Prevention | iOS | Team | Displays a privacy screen during iOS screen recording and related capture flows. |
| Task Switcher Content Protection | Android, iOS | Team | Hides or obscures app content in the recent-apps or app-switcher preview without blocking foreground screenshots. |
| Android Screen Capture Protection | Android | Free | Blocks screenshots, recordings, task switcher previews, and unsafe external display for protected Android screens. |
Use these controls for financial data, health records, identity documents, one-time codes, enterprise data, or any workflow where visual disclosure is unacceptable.
Input And Sharing Protection
| Control | Platforms | Minimum plan | What it does |
|---|---|---|---|
| Clipboard Protection | Android, iOS | Team | Blocks copy/cut paths that could move sensitive data to the system clipboard. |
| Autofill Suggestion Prevention | Android | Team | Reduces exposure of sensitive form values through autofill suggestions. |
| Keyboard Cache Prevention | iOS | Team | Prevents sensitive text from being learned by keyboard suggestions. |
| File Sharing Prevention | iOS | Team | Reduces exposure through system file-sharing surfaces. |
| System Sharing Suppression | iOS | Team | Restricts system share sheet paths for sensitive content. |
| Spotlight And Handoff Suppression | iOS | Team | Prevents sensitive content from appearing in Spotlight, Handoff, and related surfaces. |
Use these controls on login, payment, personal information, document, and administrative screens.
Storage And Backup Protection
| Control | Platforms | Minimum plan | What it does |
|---|---|---|---|
| Storage Permission Hardening | Android | Team | Restricts internal files directory permissions and repairs world-accessible SharedPreferences files. |
| Storage Encryption | iOS | Team | Applies iOS Data Protection to supported app data paths. |
| Android Backup Prevention | Android | Team | Disables application backup behavior for protected Android builds. |
| iOS Backup Protection | iOS | Team | Protects AppTego-managed files from backup exposure. |
| Keychain Accessibility Hardening | iOS | Team | Applies stricter keychain accessibility behavior for supported entries. |
Use these controls when devices may be lost, jailbroken/rooted, backed up to unmanaged systems, or subject to forensic extraction.
Runtime And Component Hardening
| Control | Platforms | Minimum plan | What it does |
|---|---|---|---|
| Set Debuggable to False | Android, iOS | Team | Ensures Android protected builds are not marked debuggable and blocks debugger attachment where supported. |
| Overlay Prevention | Android | Free | Blocks risky overlay behavior that could obscure or manipulate app UI. |
| Exported Components Lockdown | Android | Team | Restricts Android components that other apps can invoke. |
| Immutable PendingIntent Enforcement | Android | Team | Hardens PendingIntent usage against mutation by other apps. |
| Task Hijacking Prevention | Android | Team | Reduces activity/task hijacking risk. |
| WebView Hardening | Android, iOS | Team | Applies safer defaults for embedded web content. |
Use these controls for apps with sensitive transactions, authentication flows, embedded web views, or inter-app communication surfaces.
Network Protection
| Control | Platforms | Minimum plan | What it does |
|---|---|---|---|
| Cleartext Traffic Prevention | Android | Enterprise | Blocks cleartext HTTP traffic in protected builds. |
| TLS 1.3 Only | Android, iOS | Enterprise | Requires TLS 1.3 on supported platform networking APIs. |
| Certificate Transparency | Android | Enterprise | Enforces certificate transparency policy for configured domains. |
| Certificate Pinning | Android, iOS | Enterprise | Restricts TLS trust to approved certificate keys. |
Validate backend, CDN, analytics, and third-party SDK endpoints before enabling strict transport settings in Production.
Prevention And Detection Together
Prevention and detection are strongest when used together.
| Scenario | Recommended layering |
|---|---|
| Sensitive Android screens | Android Screen Capture Protection plus Screen Capture Detection when strict screenshot blocking is required. |
| Sensitive iOS screens | Screenshot Prevention plus Screen Capture Detection. |
| Screen recording risk | Screen Recording Detection; add Screen Recording Prevention for protected iOS screens. |
| Proxy or MITM risk | Certificate Pinning plus Proxy Usage Detection. |
| Runtime analysis risk | Set Debuggable to False plus Debuggable Detection, Debugger Detection, Hook Detection, and Hooking Detection. |
| Data leakage risk | Clipboard Protection plus Third-Party Keyboard Detection and Storage Permission Hardening on Android or Storage Encryption on iOS. |
Enabling Prevention Controls
- Open the AppTego Portal.
- Select the intended configuration version: Development, Staging, or Production.
- Open the relevant control section.
- Enable the prevention setting.
- Save the configuration.
- Build a new protected app with that configuration version.
- Test expected behavior on physical devices before promotion.
Enterprise live configuration can update supported runtime settings without rebuilding only when live configuration was enabled before the app was built.
Product And Support Checklist
| Area | What to decide |
|---|---|
| User experience | Whether blocked behavior needs explanatory copy elsewhere in the app or support center. |
| Scope | Whether the prevention should apply globally or only to sensitive workflows where supported. |
| QA coverage | Which devices, OS versions, app flows, and accessibility needs must be tested. |
| Support readiness | How support should respond when users report blocked screenshots, sharing, clipboard, or network behavior. |