Differences between freeRASP vs Business RASP+

[syakymchuk]

What are the advantages of commercial Talsec SDKs subscription plans compared to freeRASP.

First of all, freeRASP is a freemium product. It means there are Fair Usage Policy conditions (over 100K Downloads) for using it (see here). Business RASP+ and AppiCrypt are premium products with a subscription model (which includes SW licenses, SLA, maintenance updates, ...) for SDKs. It is not SaaS. It means we don't introduce any dependency on 3rd party web services for your mobile solution. Talsec doesn't collect any customer data within RASP+, while freeRASP SDK sends the diagnostical information to Talsec servers to provide clients with regular security reports and improve the product. You should consider adding Talsec to the list of Data Processors in case of freeRASP usage.

Here are the TOP10 advantages of a RASP+ Business Talsec subscription (includes SDK license, SLA, and some services) over freeRASP.

1. Bypass protection. RASP+ binary SDK is built individually with binding to App-specific data (signing cert hash, package name, teamID , etc.). freeRASP SDK is entirely the same binary for all users i.e. "known for attackers". Practically the freeRASP-protected app is unlikely to pass the professional pentesting because an experienced pentester will be capable of bypassing it.

2. Device data collection by Talsec. Premium customers benefit from full control over telemetry and loggin endpoints. I.e., Customers can use in-house or managed services like Elastic Cloud to collect mobile threat logs and set up Monitoring events for severe threats. freeRASP SDK sends data to Talsec-managed cloud DB (AWS in USA) for product improvements, anomaly detection, freeRASP client reporting and aggregated data analytics.

3. Better resilience for premium RASP+ threat prevention vs API callbacks (aka detection only) in freeRASP. The reactions to threats (like killing the app) can be configured to be triggered inside the RASP+ SDK at a lower level of Native C. Hence it is much harder to locate and bypass by reverse engineering than reaction maid in App logic code as in freeRASP.

4. AppiCrypt (TM) - it is our innovation and extremely powerful RASP hardening from the back-end that implements the concept of zero-trust for the apps world (app/device integrity control at the API gateway level). It is somewhat similar to JWT that verification for user authentication but AppiCrypt verifies that the request is generated by the legit and non-compromised app. See details here and more detailed whitepaper here: AppiCrypt® App Integrity Cryptogram.pdf

5. Additional controls in RASP+. These are:
   -- UI Overlay attack protection
   -- Accessibility service misuse protection
   -- Google Play Services or Huawei Services control
   -- Strings obfuscation and encryption aka vaulting within RASP SDK (good for hiding API keys, endpoints, URLs)
   -- VPN detection/prevention

6. Dynamic TLS pinning SDK. Allows avoid the App republishing in case of certificate expiration or root certificate update

7. Self-care tools for remote SDK configuration

8. New upcoming features
   -- Malware detection (coming soon)
   -- Remote Screen Control, Screen-cast or Screen mirroring detection (coming soon)

Middle term plan
-- App enrollment for Mutual TLS SDK
-- App voluntary data Encryption/Decryption (e.g. to protect locally stored user data, App assets like ML model)
-- Simple Application layer E2E encryption. Good for MiTM protection and evil admin (e.g. to combat traffic data sniffing on the server side behind TLS API gateway or server logs).
-- Advanced E2E encryption and App enrollment SDK + Google AppCheck (client App instance bound secrets)

9. Automated App pentesting. Usually, we include free one-time automated app scanning / pentesting in the subscription package.
   It is good for generic validation of the OWASP compliance and preparing for external pentesting.

10. SLA - premium Subscription comes with SLA for support and maintenance updates.

Feel free to comment and recommend your desired features 👋.

I am happy to answer your questions or make a Demo on the call. Just pick a time slot in Calendly.

Have a great day!

Sergiy Yakymchuk
Talsec co-founder || OWASP member

[JgomesAT]

Where Can I find more info, like how to move to RASP+ and price??

[syakymchuk]

@JgomesAT please feel free to schedule a quick session to present a business version value with pricing. Calendly

[Ko-kn3t]

What happen if I used the freeRASP free version and my application was downloaded more than 100K? Because I found 100K devices in the description of freeRASP.

[syakymchuk]

Hello @Ko-kn3t , sorry I the notiff from your reply.
It will mean that you violate the Fair Usage Polucy.
Currently, we are not enforcing strong limitations. Only:

• we may use the app name in our PR communications.
• App security consolidated report delivery can be stopped.

This list of limitations is subject to change and we plan to introduce additional requirements to be fulfilled over 100K Downloads (like mentioning Protected by freeRASP). If not fulfilled the license for the usage can be formally revoked.

Generally, we recommend upgrading to Business RASP+ or lightRASP subscription over the 100K App Downloads.

[andreapresottolvmh]

HI @syakymchuk ,
how can I get in contact with Talsec in order to communicate the app name and logo if downloads exceed the 100K limit? Is there a specific email or a web form to submit? Thanks!

[syakymchuk]

Hello, Apologies for missing your request please schedule a quick session if possible here: https://calendly.com/sergiy-yakymchuk-1/60min?month=2024-01

Otherwise please drop us a message here: https://www.talsec.app/contact and we will align over mail.

[sinanverve7]

Hello, Apologies for missing your request please schedule a quick session if possible here: https://calendly.com/sergiy-yakymchuk-1/60min?month=2024-01

Otherwise please drop us a message here: https://www.talsec.app/contact and we will align over mail.

mine is a ios application,this 100k downloads refers to monthly downloads or total downloads.is free version comes with a dashboard to check data/ if we cross 100k is will we loss access to dashobard ?

[syakymchuk]

Hello @sinanverve7.

• Total Downloads are defined in FUP policy
• The free version provides only regular PDF reports (no Dashboard access). After 100K we can stop delivering the Report.
• In Paid version we offer the Dashboard configuration and all the data are managed by Customer's logs collection & monitoring (Elastic / Kibana)

[sinanverve7]

Hello @syakymchuk
mine is an ios app.

1. is freeversion has dashboard access?
2. will we loss access to dashboard if we cross 100k downloads?
3. does this libray has method to obfuscate ios app / it's paid version has method to do same ( i'm searching a library to obfuscate my capacitor ios appp )?
4. where it's pricing mentioned ?
5. is 100k downloads refers to total downloads/ monthly downloads?

[syakymchuk]

Hello @sinanverve7.

1. No
2. You have no access to the data today in free version only PDF report (we are considering implementing it soon with 1 week's history limited data).
3. We offer strings obfuscation/vaulting in the paid version (it is not a build time tool)
4. For pricing please drop us a message here: https://www.talsec.app/contact
5. Total