Runtime Application Self-Protection
Runtime Application Self-Protection (RASP) is a security technology embedded directly within a mobile application that monitors its own execution environment and behaviour in real time, detecting and automatically responding to attacks such as code injection, tampering, and debugger attachment without relying on external network-based defences.
Unlike perimeter-based security tools that inspect traffic at the network layer, RASP operates from within the application itself. This inside-out perspective gives it visibility into the actual runtime context, including the call stack, memory state, and data flow, enabling it to distinguish between legitimate use and active exploitation with high accuracy.
In the mobile context, RASP SDKs are integrated into the application during the build process and activate when the application launches. They continuously perform integrity checks on the running code, monitor for hooking frameworks such as Frida and Xposed, detect debugger attachment through ptrace monitoring and timing checks, and verify that the execution environment is not an emulator or instrumented sandbox.
When RASP detects a threat, it can respond in several ways depending on the configured policy. Responses range from logging the event for server-side analysis, through degrading application functionality to prevent data exfiltration, to terminating the application entirely. The ability to respond in real time without waiting for a server-side decision is a key advantage in scenarios where network connectivity may be unreliable or compromised.
RASP is most effective as part of a layered defence strategy that includes code obfuscation, root detection, certificate pinning, and server-side fraud detection. By combining compile-time protections with runtime monitoring, organisations can protect mobile applications across the full attack lifecycle from static analysis through dynamic exploitation.