Skip to content

Commit

Permalink
Merge pull request #76 from talsec/new_release
Browse files Browse the repository at this point in the history
new release
  • Loading branch information
msikyna authored Jun 15, 2023
2 parents 4963449 + 1df1676 commit 4083395
Show file tree
Hide file tree
Showing 18 changed files with 293 additions and 55 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
# freeRASP 6.0.0
We are constantly working on improving your freeRASP experience. This update contains a new check - obfuscation detection. Minimal supported Android SDK level was raised to 23.

## What's new in 6.0.0?
- ❗ BREAKING: Raised minSdkVersion on Android to 23
- ❗ Removed BouncyCastle dependency on Android
- 🔎 New threat type `obfuscationIssues`
- 🔎 New threat callback `onObfuscationIssues`
- ✔️ Fixed `NullPointerException` which could occur during specific subcheck execution on Android

# freeRASP 5.0.4
- ✔️ Fixed issue with metadata in iOS framework

Expand Down
89 changes: 49 additions & 40 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ Add dependency to your `pubspec.yaml` file

```yaml
dependencies:
freerasp: 5.0.4
freerasp: 6.0.0
```
and run `pub get`
Expand Down Expand Up @@ -100,14 +100,14 @@ and integration script from your project:
### Android setup

* From root of your project, go to **android > app > build.gradle**
* In `defaultConfig` update `minSdkVersion` to at least **21** (Android 5.0) or higher
* In `defaultConfig` update `minSdkVersion` to at least **23** (Android 6.0) or higher

```gradle
android {
...
defaultConfig {
...
minSdkVersion 21
minSdkVersion 23
...
}
...
Expand Down Expand Up @@ -213,6 +213,7 @@ void main() {
// Setting up callbacks
final callback = ThreatCallback(
onAppIntegrity: () => print("App integrity"),
onObfuscationIssues: () => print("Obfuscation issues"),
onDebug: () => print("Debugging"),
onDeviceBinding: () => print("Device binding"),
onDeviceID: () => print("Device ID"),
Expand Down Expand Up @@ -247,28 +248,25 @@ void main() async {
```

## Step 5: Additional note about obfuscation
The freeRASP contains public API, so the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to use publicly available information to interrupt freeRASP operations or modify your custom reaction implementation in threat callbacks. In order for freeRASP to be as effective as possible, it is highly recommended to apply obfuscation to the final package/application, making the public API more difficult to find and also partially randomized for each application so it cannot be automatically abused by generic hooking scripts.
The freeRASP contains public API, so the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to use publicly available information to interrupt freeRASP operations or modify your custom reaction implementation in threat callbacks.

### Android
The majority of Android projects support code shrinking and obfuscation without any additional need for setup. The owner of the project can define the set of rules that are usually automatically used when the application is built in the release mode. For more information, please visit the official documentation
* https://developer.android.com/studio/build/shrink-code
* https://www.guardsquare.com/manual/configuration/usage
In order to provide as much protection as possible, freeRASP enhances security measures by implementing ProGuard consumer rules, which obfuscate specific sections of the SDK. **However, these rules are applied to your Android app code as well due to inheritance.**

You can make sure, that the obfuscation is enabled by checking the value of **minifyEnabled** property in your **module's build.gradle** file.
```gradle
android {
...
Finally, if there is a problem with the obfuscation freeRASP will notify you about it via **obfuscationIssues** callback.

buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
}
In certain cases, you may prefer to exclude this rule.

To remove the rule, you need to find `freerasp` in your cache folder. More about where to find the cache folder [here](https://dart.dev/tools/pub/environment-variables). Then navigate to the freerasp-X.Y.Z/android/build.gradle file and delete the line:

```groovy
consumerProguardFiles 'consumer-rules.pro'
```

You can read more about Android obfuscation in the official documentation:
- https://developer.android.com/studio/build/shrink-code
- https://www.guardsquare.com/manual/configuration/usage


## Step 6: User Data Policies
See the generic info about freeRASP data collection [here](https://github.com/talsec/Free-RASP-Community/tree/master#data-collection-processing-and-gdpr-compliance).

Expand Down Expand Up @@ -380,16 +378,16 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
<td colspan=5><strong>Runtime App Self Protection (RASP, app shielding)</strong></td>
</tr>
<tr>
<td>Advanced root/jailbreak protections</td>
<td>Advanced root/jailbreak protections (including Magisk)</td>
<td>basic</td>
<td>advanced</td>
</tr>
<tr>
<td>Runtime reverse engineering controls
<ul>
<li>Debug</li>
<li>Emulator</li>
<li>Hooking protections (e.g. Frida)</li>
<li>Debugger</li>
<li>Emulator / Simulator</li>
<li>Hooking and reversing frameworks (e.g. Frida, Magisk, XPosed, Cydia Substrate and more)</li>
</ul>
</td>
<td>basic</td>
Expand All @@ -398,7 +396,7 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
<tr>
<td>Runtime integrity controls
<ul>
<li>Tamper protection</li>
<li>Tampering protection</li>
<li>Repackaging / Cloning protection</li>
<li>Device binding protection</li>
<li>Unofficial store detection</li>
Expand All @@ -412,6 +410,8 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
<ul>
<li>HW security module control</li>
<li>Screen lock control</li>
<li>Google Play Services enabled/disabled</li>
<li>Last security patch update</li>
</ul>
</td>
<td>yes</td>
Expand All @@ -421,7 +421,7 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
<td>UI protection
<ul>
<li>Overlay protection</li>
<li>Accessibility services protection</li>
<li>Accessibility services misuse protection</li>
</ul>
</td>
<td>no</td>
Expand All @@ -432,11 +432,10 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
</tr>
<tr>
<td>Security hardening suite
<ul>
<li>Customer Data Encryption (local storage)</li>
<ul>
<li>End-to-end encryption</li>
<li>Strings protection (e.g. API keys)</li>
<li>Dynamic certificate pinning</li>
<li>Dynamic TLS certificate pinning</li>
</ul>
</td>
<td>no</td>
Expand All @@ -451,31 +450,41 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
<td>yes</td>
</tr>
<tr>
<td colspan=5><strong>Monitoring</strong></td>
<td colspan=5><strong>Security events data collection, Auditing and Monitoring tools</strong></td>
</tr>
<tr>
<td>AppSec regular email reporting</td>
<td>Threat events data collection from SDK</td>
<td>yes</td>
<td>configurable</td>
</tr>
<tr>
<td>AppSec regular email reporting service</td>
<td>yes (up to 100k devices)</td>
<td>yes</td>
</tr>
<tr>
<td>Data insights and auditing portal</td>
<td>UI portal for Logging, Data analytics and auditing</td>
<td>no</td>
<td>yes</td>
</tr>
<tr>
<td colspan=5><strong>Support and Maintenance</strong></td>
</tr>
<tr>
<td>Embed code to integrate with portal</td>
<td>no</td>
<td>SLA</td>
<td>Not committed</td>
<td>yes</td>
</tr>
<tr>
<td>API data access</td>
<td>no</td>
<td>Maintenance updates</td>
<td>Not committed</td>
<td>yes</td>
</tr>
<td colspan=5><strong>Fair usage policy</strong></td>
<tr>
<td>Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section of the Talsec web or in the social media).</td>
<td colspan=5><strong>Fair usage policy</strong></td>
</tr>
<tr>
<td>Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section on the web).</td>
<td>over 100k downloads</td>
<td>no</td>
</tr>
Expand All @@ -490,9 +499,9 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
For further comparison details (and planned features), follow our [discussion](https://github.com/talsec/Free-RASP-Community/discussions/5).

# About Us
Talsec is an academic-based and community-driven mobile security company. We deliver in-App Protection and a User Safety suite for Fintechs. We aim to bridge the gaps between the user's perception of app safety and the strong security requirements of the financial industry.
Talsec is an academic-based and community-driven mobile security company. We deliver in-App Protection and a User Safety suite for Fintechs. We aim to bridge the gaps between the user's perception of app safety and the strong security requirements of the financial industry.

Talsec offers a wide range of security solutions, such as App and API protection SDK, Penetration testing, monitoring services, and the User Safety suite. You can check out offered products at [our web](https://www.talsec.app).

# License
This project is provided as freemium software i.e. there is a fair usage policy that impose some limitations on the free usage. The SDK software consists of opensource and binary part which is property of Talsec. The opensource part is licensed under the MIT License - see the [LICENSE](https://github.com/talsec/Free-RASP-Community/blob/master/LICENSE) file for details.
This project is provided as freemium software i.e. there is a fair usage policy that impose some limitations on the free usage. The SDK software consists of opensource and binary part which is property of Talsec. The opensource part is licensed under the MIT License - see the [LICENSE](https://github.com/talsec/Free-RASP-Community/blob/master/LICENSE) file for details.
5 changes: 3 additions & 2 deletions android/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,14 @@ android {
}

defaultConfig {
minSdkVersion 21
minSdkVersion 23
consumerProguardFiles 'consumer-rules.pro'
}
}

dependencies {
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"

// Talsec SDK
implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Flutter:7.0.0'
implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Flutter:8.0.1'
}
1 change: 1 addition & 0 deletions android/consumer-rules.pro
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
-flattenpackagehierarchy
1 change: 1 addition & 0 deletions android/src/main/kotlin/com/aheaditec/freerasp/Threat.kt
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ internal enum class Threat(val value: String) {
PASSCODE("passcode"),
SIMULATOR("simulator"),
APP_INTEGRITY("appIntegrity"),
OBFUSCATION_ISSUES("obfuscationIssues"),
DEVICE_BINDING("deviceBinding"),
UNOFFICIAL_STORE("unofficialStore"),
PRIVILEGED_ACCESS("privilegedAccess"),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ internal object PluginThreatHandler : ThreatDetected, DeviceState {
notify(Threat.DEVICE_BINDING)
}

override fun onObfuscationIssuesDetected() {
notify(Threat.OBFUSCATION_ISSUES)
}

override fun onUnlockedDeviceDetected() {
notify(Threat.PASSCODE)
}
Expand Down
2 changes: 1 addition & 1 deletion example/android/app/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ android {
// TODO: Specify your own unique Application ID (https://developer.android.com/studio/build/application-id.html).
applicationId "com.aheaditec.freerasp_example"
// Talsec library needs higher version than default (16)
minSdkVersion 21
minSdkVersion 23
// TODO: Update to "flutter.targetSdkVersion" when sdk will be updated to >= 2.0
targetSdkVersion 31
versionCode flutterVersionCode.toInteger()
Expand Down
1 change: 1 addition & 0 deletions example/ios/Runner.xcodeproj/project.pbxproj
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@
files = (
);
inputPaths = (
"${TARGET_BUILD_DIR}/${INFOPLIST_PATH}",
);
name = "Thin Binary";
outputPaths = (
Expand Down
1 change: 1 addition & 0 deletions example/lib/threat_notifier.dart
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ class ThreatNotifier extends StateNotifier<Map<Threat, bool>> {
ThreatNotifier() : super(_emptyState()) {
final callback = ThreatCallback(
onAppIntegrity: () => _updateThreat(Threat.appIntegrity),
onObfuscationIssues: () => _updateThreat(Threat.obfuscationIssues),
onDebug: () => _updateThreat(Threat.debug),
onDeviceBinding: () => _updateThreat(Threat.deviceBinding),
onDeviceID: () => _updateThreat(Threat.deviceId),
Expand Down
6 changes: 6 additions & 0 deletions lib/src/enums/threat.dart
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ enum Threat {
/// indicating that it has been tampered with.
appIntegrity,

/// The application is not obfuscated, indicating that it is vulnerable to
/// reverse engineering.
obfuscationIssues,

/// The device running the application may be bound to another device,
/// indicating an attempt to clone the application.
deviceBinding,
Expand Down Expand Up @@ -70,6 +74,8 @@ extension ThreatX on Threat {
return Threat.simulator;
case 'appIntegrity':
return Threat.appIntegrity;
case 'obfuscationIssues':
return Threat.obfuscationIssues;
case 'deviceBinding':
return Threat.deviceBinding;
case 'unofficialStore':
Expand Down
3 changes: 3 additions & 0 deletions lib/src/talsec.dart
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,9 @@ class Talsec {
case Threat.appIntegrity:
callback.onAppIntegrity?.call();
break;
case Threat.obfuscationIssues:
callback.onObfuscationIssues?.call();
break;
case Threat.deviceBinding:
callback.onDeviceBinding?.call();
break;
Expand Down
4 changes: 4 additions & 0 deletions lib/src/threat_callback.dart
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ class ThreatCallback {
this.onDeviceID,
this.onSimulator,
this.onAppIntegrity,
this.onObfuscationIssues,
this.onDeviceBinding,
this.onUnofficialStore,
this.onPrivilegedAccess,
Expand Down Expand Up @@ -60,6 +61,9 @@ class ThreatCallback {
/// invalid signature, package name, signing hash,...).
final VoidCallback? onAppIntegrity;

/// This method is called when application is not obfuscated.
final VoidCallback? onObfuscationIssues;

/// This method is called when device binding is compromised.
final VoidCallback? onDeviceBinding;

Expand Down
7 changes: 1 addition & 6 deletions pubspec.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: freerasp
description: Flutter library for improving app security and threat monitoring on Android and iOS mobile devices. Learn more about provided features on the freeRASP's homepage first.
version: 5.0.4
version: 6.0.0
homepage: https://www.talsec.app/freerasp-in-app-protection-security-talsec
repository: https://github.com/talsec/Free-RASP-Flutter

Expand All @@ -9,15 +9,10 @@ environment:
flutter: ">=1.20.0"

topics:
- security
- tools
- tampering-detection
- app-shielding
- rasp
- tampering
- reverse-engineering
- application-security
- frida
- freerasp

dependencies:
Expand Down
13 changes: 7 additions & 6 deletions test/src/enums/threat_test.dart
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ import 'package:flutter_test/flutter_test.dart';
import 'package:freerasp/freerasp.dart';

void main() {
test('Threat enum should contain 10 values', () {
test('Threat enum should contain 11 values', () {
final threatValuesLength = Threat.values.length;

expect(threatValuesLength, 10);
expect(threatValuesLength, 11);
});

test('Threat enum should match its values index', () {
Expand All @@ -17,10 +17,11 @@ void main() {
expect(threatValues[3], Threat.deviceId);
expect(threatValues[4], Threat.simulator);
expect(threatValues[5], Threat.appIntegrity);
expect(threatValues[6], Threat.deviceBinding);
expect(threatValues[7], Threat.unofficialStore);
expect(threatValues[8], Threat.privilegedAccess);
expect(threatValues[9], Threat.secureHardwareNotAvailable);
expect(threatValues[6], Threat.obfuscationIssues);
expect(threatValues[7], Threat.deviceBinding);
expect(threatValues[8], Threat.unofficialStore);
expect(threatValues[9], Threat.privilegedAccess);
expect(threatValues[10], Threat.secureHardwareNotAvailable);
});

test(
Expand Down
Loading

0 comments on commit 4083395

Please sign in to comment.