I am puzzled about a possible vulnerability of this package compared to the pure-Dart cryptography package implementation.
Let's take the iOS example.
cryptography_flutter basically uses iOS interop that links against CryptoKit. CryptoKit gets basically loaded as an external library. Now, if I create a proxy library between the Dart code and CryptoKit (by tampering with the device's binary on a rooted device), I should be able to intercept all calls to CryptoKit, and therefore will get access to unencrypted strings and so on, right? A problem that does not happen with the pure-Dart cryptography package, where an attacker would need to dig into the compiled Dart code itself, which is significantly more tricky and time consuming.
Is there anything that I'm missing, something I misunderstand?
First, thanks for the great work.
I am puzzled about a possible vulnerability of this package compared to the pure-Dart
cryptographypackage implementation.Let's take the iOS example.
cryptography_flutterbasically uses iOS interop that links against CryptoKit. CryptoKit gets basically loaded as an external library. Now, if I create a proxy library between the Dart code and CryptoKit (by tampering with the device's binary on a rooted device), I should be able to intercept all calls to CryptoKit, and therefore will get access to unencrypted strings and so on, right? A problem that does not happen with the pure-Dartcryptographypackage, where an attacker would need to dig into the compiled Dart code itself, which is significantly more tricky and time consuming.Is there anything that I'm missing, something I misunderstand?