Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
January 27, 2023 12:44
January 31, 2023 12:22
June 24, 2021 11:25
April 24, 2023 10:21

GitHub Repo stars GitHub GitHub extra_pedantic on


In-App protection is a mobile security technology that allows mobile applications to check the security state of the environment they run within, actively counteract attack attempts, and control the integrity of the app. Such technology is also called RASP (Runtime App Self Protection) or App Shielding.

freeRASP is a mobile in-app protection and security monitoring SDK. It aims to cover the main aspects of RASP and application shielding.

📔 Table of contents


The freeRASP is a lightweight and easy-to-integrate security library designed to protect apps from potential threats during their runtime. It contains multiple security checks, each aimed to cover a possible attack vector to ensure a high level of application security. Among other options, it is able to detect reverse engineering, repackaging or cloning attempts, and running in an unsafe OS environment. It is freely distributed for all mobile platforms and is also available for Flutter, Cordova and React Native developers.

You can check platform-specific submodules for the installation guide and specific details down below:

Key advantages

🎯 Features

freeRASP provides protection against potentially dangerous behavior, including the following:

✔️ Using rooted or jailbroken devices (e.g., unc0ver, check1rain)

✔️ Reverse engineering attempts

✔️ Running hooking frameworks (e.g., Frida, Xposed or Shadow)

✔️ Tampering or repackaging the application

✔️ Installing the app through untrusted methods/unofficial stores

Visit our wiki to learn more details about the performed checks and their importance for app security.

Security report

The Security Report is a weekly summary describing the application's security state and characteristics of the devices it runs on in a practical and easy-to-understand way.

The report provides a quick overview of the security incidents, their dynamics, app integrity, and reverse engineering attempts. It contains info about the security of devices, such as OS version or the ratio of devices with screen locks and biometrics. Each visualization also comes with a concise explanation.

enter image description here

📤 App security monitoring service

App security monitoring service are shared both for Android and iOS. App security monitoring service (i.e., reports and email alerts) for freeRASP are provided by Talsec free of charge within FUP. Only commercial plans currently support customer managed or inhouse audit/monitoring data collection cloud service. freeRASP SDK sends security diganostics data to Talsec cloud DB. It implies:

  • Anonymized data logs are sent to ElasticSearch
  • Data are continuously evaluated and ML-classified to detect anomalies
  • Each account can set up a Watcher to receive weekly alerts about detected attempts for app modifications

Data Collection, Processing, and GDPR compliance

freeRASP SDK collects anonymized security diagnostics data from the Apps. It includes technical information about the state of security and integrity of Devices and App instances. It includes anonymous app instance and device IDs. This information allows Talsec to implement a PDF security report feature. Data is also used to improve the product and prepare mobile security reports.

Data collection can be disabled or configured to address customers' DB in premium service plans of Talsec (see RASP+)

By April 2022 Google Play requires all app publishers to declare how they collect and handle user data for the apps they publish on Google Play. They should inform users properly of the data collected by the apps and how the data is shared and processed. Therefore, Google will reject the apps which do not comply with the policy.

Apple has a similar approach and data types specification.

Talsec recommends adding the following statements to the Privacy Policy page dedicated to your app. Also, use the text below while filling in the Google Play Safety Section or similar for Apple App Store publishing.

For the purpose of Fraud prevention, user safety, and compliance the dedicated App safety SDK needs to send the following anonymous diagnostic data off the device for detection of security issues. Thus the application collects the following data:
  • Category: App info and performance
    • Data Type: Diagnostics
    • Information about the integrity of the app and the operating system. For example, rooting, running in an emulator, hooking framework usage, etc...
  • Category: Device or other identifiers
    • Data Type: Device or other identifiers
    • Information that relates to an individual device. For example, a device model and anonymous identifier to control that app instance executed on the original device that it was initially installed on. It is needed to combat threats like bots and API abuse.

All the data collected by the freeRASP Talsec Security SDK is considered non user sensitive. Also, there is no technical way to identify the real person by the identifiers collected by freeRASP SDK.

Google Play’s User Data policy indicates that a prominent disclosure should be presented to the users, in case of an app collecting personal or sensitive data.

Though freeRASP collects diagnostical data (anonymous and not user-related ), the App publisher should consider adding a disclosure screen, describing why the security diagnostic data is needed, what data, and how the data is used. Link to best practices and guidelines of Google.

An example of a disclosure screen:

📊 Talsec Commercial Subscriptions

Talsec offers commercial plans for customers to:

  • Pass external penetration testing
  • Comply with FinTech grade regulations
  • Gain OWASP MAS Compliance
  • Protect APIs and combat fraud
  • Win the time needed for coding app security best practices

To get the most advanced protection compliant and support from our experts, contact us at

The commercial version provides a top-notch protection level, extra features, support, and maintenance. One of the most valued commercial features is AppiCrypt® - App Integrity Cryptogram.

It allows easy to implement API protection and App Integrity verification on the backend to prevent API abuse:

  • Bruteforce attacks
  • Botnets
  • API abuse by App impersonation
  • Session-hijacking
  • DDoS

It is a unified solution that works across all mobile platforms without dependency on external web services (i.e., without extra latency, an additional point of failure, and maintenance costs).

Learn more about commercial features at

TIP: You can try freeRASP and then upgrade easily to an enterprise service.

Plans Comparison

freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impose some limitations on the free usage. See the FUP section in the table below

freeRASP Business RASP+
Runtime App Self Protection (RASP, app shielding)
Advanced root/jailbreak protections basic advanced
Runtime reverse engineering controls
  • Debug
  • Emulator
  • Hooking protections (e.g. Frida)
basic advanced
Runtime integrity controls
  • Tamper protection
  • Repackaging / Cloning protection
  • Device binding protection
  • Unofficial store detection
basic advanced
Device OS security status check
  • HW security module control
  • Screen lock control
yes yes
UI protection
  • Overlay protection
  • Accessibility services protection
no yes
Hardening suite
Security hardening suite
  • Customer Data Encryption (local storage)
  • End-to-end encryption
  • Strings protection (e.g. API keys)
  • Dynamic certificate pinning
no yes
AppiCrypt® - App Integrity Cryptogram
API protection by mobile client integrity check, online risk scoring, online fraud prevention, client App integrity check. The cryptographic proof of app & device integrity. no yes
AppSec regular email reporting yes (up to 100k devices) yes
Data insights and auditing portal no yes
Embed code to integrate with portal no yes
API data access no yes
Fair usage policy
Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section of the Talsec web or in the social media) over 100k downloads no
Threat signals data collection to Talsec database for processing and product improvement yes no

For further comparison details (and planned features), follow our discussion.

Community Development

Contributions are always welcomed. With new threats arising, protections currently in place need to be continuously updated. You can start contributing in many different ways:

  • Filing or reporting issues
  • Working on one of the existing issues
  • Browsing existing code and manuals and proofreading it

Support and maintenance are in the hands of the community. Feel free to open new issues and ask questions.

About Us

Talsec is an academic-based and community-driven mobile security company. We deliver in-App Protection and a User Safety suite for Fintechs. We aim to bridge the gaps between the user's perception of app safety and the strong security requirements of the financial industry.

Talsec offers a wide range of security solutions, such as App and API protection SDK, Penetration testing, monitoring services, and the User Safety suite. You can check out offered products at our web.


This project is provided as freemium software i.e. there is a fair usage policy that impose some limitations on the free usage. The SDK software consists of opensource and binary part which is property of Talsec. The opensource part is licensed under the MIT License - see the LICENSE file for details.