Methodology for Analyzing RASP Protections in Android Apps

The Just Mobile Security article outlines a basic methodology for researching the behavior of RASP (Runtime Application Self-Protection) solutions on Android using static analysis, Frida, and Radare2.

Modern RASP implementations have shifted critical detection logic from the Java/Smali layer into native libraries. Meanwhile, Java code is heavily obfuscated, strings are encrypted, and checks run at runtime—making static analysis alone insufficient.

The methodology covers: • the importance of properly configuring the test environment (selecting a root method, ensuring Play Integrity passes) as the foundation of the analysis, • examining the Java ↔ native interface via JNI and System.loadLibrary, • dynamically monitoring app behavior: hooking libc functions (open, snprintf), analyzing /proc/self/maps|status|fd, and tracking process termination logic, • analyzing direct system calls (SVC) with Radare2 and Frida when RASP invokes syscalls directly instead of standard libc functions.

The r2pay app from MAS Crackmes is used as the main example.

📎 Article: https://medium.com/@justmobilesec/exploring-android-protections-on-rasp-times-3d140e8df115