search

talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
183 stars 16 forks source link

Frida and App Integrity detection not working as expected #103

Open thisisyusub opened 4 months ago

thisisyusub commented 4 months ago

Describe the bug We have released and configures security with freerasp. But our pentester team investigated that, in the following scenerio, it is not working as expected to catch jailbreak, frida and app integrity check.

To Reproduce

From Mobile App Side

  1. Create App Protection Service like following:
class InAppProtectionService {
  InAppProtectionService();

  Future<void> init() async {
    final config = TalsecConfig(
      // For Android
      isProd: kReleaseMode,
      androidConfig: AndroidConfig(
        packageName: 'az.azerconnect.inside',
        signingCertHashes: [
          'base64 from sha256 from Google Play Console',
        ],
      ),

      // For iOS
      iosConfig: IOSConfig(
        bundleIds: ['az.azerconnect.inside'],
        teamId: 'Team ID from App Store Connect',
      ),

      // Common email for Alerts and Reports
      watcherMail: 'any email',
    );

    final callback = ThreatCallback(
      onAppIntegrity: () => exit(0),
      onDebug: () => exit(0),
      onPrivilegedAccess: () => exit(0),
      onSimulator: () => exit(0),
      onUnofficialStore: () => exit(0),
      onHooks: () => exit(0),
    );

    Talsec.instance.attachListener(callback);
    await Talsec.instance.start(config);
  }
}
  1. Start it in the main.dart file:
runZonedGuarded<Future<void>>(
    () async {
      WidgetsFlutterBinding.ensureInitialized();

      final appProtectionService = InAppProtectionService();
      await appProtectionService.init();

      /// initializes [Firebase] for application
      await Firebase.initializeApp(
        options: DefaultFirebaseOptions.currentPlatform,
      );
      await AppStartupWrapper.initialize(environment, overrides);
    },
    (error, stack) async {
      return FirebaseCrashlytics.instance.recordError(
        error,
        stack,
        fatal: true,
      );
    },
  );
  1. build.gradle file if it is interested: Screenshot 2024-02-23 at 16 35 45
  1. Build app for android with the following command: 
    flutter build apk --obfuscate --split-debug-info=obfuscate/symbols --build-name=1.14.1 --build-number=60

From Pentest Side

  1. Download the app from Play Store (1.14.1) https://play.google.com/store/apps/details?id=az.azerconnect.inside

  2. Use “reflutter” tool to modify APK. In order to monitor the app traffic, select first option and enter your Burp Suite IP. 
    reflutter app.apk
    Screenshot 2024-02-23 at 16 20 32
  1. Sign modified APK with “uber-apk-signer” tool. 
    java -jar uber-apk-signer-1.2.1.jar --apks inside_modified.apk
    Screenshot 2024-02-23 at 16 22 04
  1. Install signed APK to the device. adb install inside_modified-aligned-debugSigned.apk Screenshot 2024-02-23 at 16 27 20

  1. When the app is launched, it will crash instantly. To prevent that use following Frida script.

    Java.perform(function() {
let C7508g = Java.use("s1.g"); C7508g["$init"].implementation = function(z, z2, z3) {
console.log(`C7508g.$init is called: z=${z}, z2=${z2}, z3=${z3}`);
this["$init"](true, false, false); };
});

  2. Run the app using Frida script.

    Screenshot 2024-02-23 at 16 27 53

  3. App will be launched successfully. Tap the “Skip” button.

    Screenshot 2024-02-23 at 16 28 45
  1. Enter an email and a password. Screenshot 2024-02-23 at 16 29 17
  1. Login request will be captured successfully. Screenshot 2024-02-23 at 16 29 46

Expected behavior After all these processes, it should detect if app:

Please complete the following information:

Tools Used:

yardexx commented 4 months ago

Hello.

Thanks for raising this issue. We are looking into it.

cbarlow26 commented 4 months ago

Hi,

I know nothing about pen testing and this may be a very stupid question, but I was wondering if the Frida script is somehow modifying the kDebugMode, kProfileMode, and kReleaseMode constants?

If this is happening, then using isProd: kReleaseMode would bypass all the release level callbacks like onAppIntegrity. Maybe try isProd: true and retest?

thisisyusub commented 4 months ago

Hi,

I know nothing about pen testing and this may be a very stupid question, but I was wondering if the Frida script is somehow modifying the kDebugMode, kProfileMode, and kReleaseMode constants?

If this is happening, then using isProd: kReleaseMode would bypass all the release level callbacks like onAppIntegrity. Maybe try isProd: true and retest?

It can be true, but documentation mentioned that you can use in this way.

yardexx commented 4 months ago

I know nothing about pen testing and this may be a very stupid question, but I was wondering if the Frida script is somehow modifying the kDebugMode, kProfileMode, and kReleaseMode constants?

My (educated) guess is that Frida hooks Talsec Android SDK which is implemented in a plugin. We are currently investigating that.

We generally recommend using isProd: true because it ensures that production mode is true even if the attacker messes around with Flutter SDK constants.

thisisyusub commented 2 months ago

Any update about it?

SirionRazzer commented 2 months ago

We investigated the issue and found a solution. We believe the countermeasure could be rolled out in the next freeRASP release. Thank you for your help!