flutterflutter-dependenciesflutter-packages

Flutter FreeRasp Callback choice


I've made a research on OS, YouTube and GitHub. I followed the steps described on https://pub.dev/packages/freerasp and everything seems to be working fine. The question is, should I use the ThreatCallback or the TalsecCallback? Each callback checks for not the same things exactly.

As a side note, an easier way to get your hash, if you cannot run the Gradle Task is: Go to your Google Play Console > View App > Setup > App Signing > App Signing Key Certificate > SHA 256. Then use https://base64.guru/converter/encode/hex as suggested.

    void main() async {
           WidgetsFlutterBinding.ensureInitialized();

        // create configuration for freeRASP
        final config = TalsecConfig(
        /// For Android
        androidConfig: AndroidConfig(
            packageName: 'com.tada.tadaaa',
            signingCertHashes: ['dslkhfsdakjhfkjdshfkdshkfdsh'],
            supportedStores: ['adb', 'com.sec.android.app.samsungapps'],
        ),

        /// For iOS
        iosConfig: IOSConfig(
            bundleIds: ['com.tada.tadAAAA'],
            teamId: 'fsdjhgfksjdhgj',
        ),

        watcherMail: '[email protected]',

        isProd: false,
     );

     // Setting up callbacks
     final callback = ThreatCallback(
         onAppIntegrity: () => print("App integrity"),
         onObfuscationIssues: () => print("Obfuscation issues"),
         onDebug: () => print("Debugging"),
         onDeviceBinding: () => print("Device binding"),
         onDeviceID: () => print("Device ID"),
         onHooks: () => print("Hooks"),
         onPasscode: () => print("Passcode not set"),
         onPrivilegedAccess: () => print("Privileged access"),
         onSecureHardwareNotAvailable: () => print("Secure hardware not available"),
         onSimulator: () => print("Simulator"),
         onUnofficialStore: () => print("Unofficial store"));

         // Attaching listener
         Talsec.instance.attachListener(callback);

         await Talsec.instance.start(config);

         ...

         runApp(const App());
    }

jailbreak detection for example is available on one callback but it is not on the other.


Solution

  • Addressing the concerns.

    If you're using a version older than 5.0.0 use the TalsecCallback. As of now, if you're using a version 5.0.0 or newer you should preferably use the ThreatCallback callback as exemplified here https://github.com/talsec/Free-RASP-Flutter/blob/master/example/lib/threat_notifier.dart.

    The jailbreak threat is now handled by "onPrivilegedAccess".

    Instead of printing out those error messages a better approach could be:

    bool threatDetected = false;
    
    void main() async {
    
        WidgetsFlutterBinding.ensureInitialized();
        final config = TalsecConfig(
            androidConfig: AndroidConfig(
              packageName: 'net.xyz',
              signingCertHashes: ['hashhash'],
              supportedStores: ['adb', 'com.sec.android.app.samsungapps'],
              //supportedStores: ['com.sec.android.app.samsungapps'],
            ),
            iosConfig: IOSConfig(
              bundleIds: ['net.xyz'],
              teamId: '123456789',
            ),
            watcherMail: '[email protected]',
            isProd: false,
        );
    
        final callback = ThreatCallback(
            onAppIntegrity: () => threatDetected = true,
            onObfuscationIssues: () => threatDetected = true,
            onDebug: () => threatDetected = true,
            onDeviceBinding: () => threatDetected = true,
            onDeviceID: () => threatDetected = true,
            onHooks: () => threatDetected = true,
            onPasscode: () => threatDetected = true,
            onPrivilegedAccess: () => threatDetected = true,
            onSecureHardwareNotAvailable: () => threatDetected = true,
            onSimulator: () => threatDetected = true,
            onUnofficialStore: () => threatDetected = true,
        );
        Talsec.instance.attachListener(callback);
        await Talsec.instance.start(config);
        ...
        runApp(const App());
    }
    
    ...
    child: MaterialApp(
        home: threatDetected ? const UnAuthorizedScreen() : const SplashScreen(),
    ...