search

talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
194 stars 20 forks source link

Freerasp causes error with SharedPreferences at start and application does not run in production #112

Closed kauemurakami closed 4 months ago

kauemurakami commented 7 months ago

Describe the bug Freerasp causes error with SharedPreferences at startup and application does not run in production freerasp: 6.5.1

To Reproduce Initialize I try this 

  final fconfig = await freeraspConfig();
  // Freerasp start
  await Talsec.instance.start(fconfig);
  // Freerasp add listeners callback
  Talsec.instance.attachListener(freeraspCallback());

and this

  final fconfig = await freeraspConfig();
   // Freerasp add listeners callback
  Talsec.instance.attachListener(freeraspCallback());
  // Freerasp start
  await Talsec.instance.start(fconfig);

freeraspConfig()

freeraspConfig() async {
  // create configuration for freeRASP
  final packageInfo = await PackageInfo.fromPlatform();
  final String packageName = packageInfo.packageName;

  return TalsecConfig(
    androidConfig: AndroidConfig(
      packageName: packageName,
      signingCertHashes: [certHashes],
      // supportedStores: ['some.other.store'],
    ),
    iosConfig: IOSConfig(
      bundleIds: [packageName],
      teamId: 'XXXXXXXXXX',
    ),
    watcherMail: 'app-security@byebnk.com',
    isProd: true,
  );
}

freeraspcallback()

freeraspCallback() {
  final callback = ThreatCallback(
    onDebug: () => exit(1),
    onHooks: () => exit(1),
    onPrivilegedAccess: () => exit(1),
    onSimulator: () => exit(1),
    onDeviceBinding: () => exit(1),
    onPasscode: () {
      print('onPasscode');
      // exit(1);
    },
    onUnofficialStore: () {
      print('onUnofficialStore');
      // exit(1);
    },
    onAppIntegrity: () => print("App integrity"),
    onObfuscationIssues: () => print("Obfuscation issues"),
    onDeviceID: () => print("Device ID"),
    onSecureHardwareNotAvailable: () => print("Secure hardware not available"),
  );
  return callback;
}

Error

 Accessing hidden method Ljava/security/spec/ECParameterSpec;->setCurveName(Ljava/lang/String;)V (unsupported, reflection, allowed)
I/flutter (16319): 0
W/SharedPreferencesImpl(16319): Cannot read /data/user/0/com.example.app/shared_prefs/lpt6DF4Cqs7zdz0rfacQLVsy4fOotVZQKFGkIYD.xml
W/SharedPreferencesImpl(16319): org.xmlpull.v1.XmlPullParserException: Unexpected end of document        
W/SharedPreferencesImpl(16319):         at com.android.internal.util.XmlUtils.readValueXml(XmlUtils.java:1548)
W/SharedPreferencesImpl(16319):         at com.android.internal.util.XmlUtils.readMapXml(XmlUtils.java:969)
W/SharedPreferencesImpl(16319):         at android.app.SharedPreferencesImpl.loadFromDisk(SharedPreferencesImpl.java:171)
W/SharedPreferencesImpl(16319):         at android.app.SharedPreferencesImpl.access$000(SharedPreferencesImpl.java:59)
W/SharedPreferencesImpl(16319):         at android.app.SharedPreferencesImpl$1.run(SharedPreferencesImpl.java:140)

Screenshots If applicable, add screenshots to help explain your problem.

Please complete the following information:

Additional context This error only occurs when you have implemented freerasp. I don't use SharedPreferences in my project

msikyna commented 7 months ago

Hello @kauemurakami ,

does this also happen, when you remove the exit(1) on the callbacks? For instance, just printing some output.

Kind regards, Talsec team

kauemurakami commented 7 months ago

Thanks for the quick response =D. Unfortunately it didn't work, I removed all exit(1) and left just the appIntegrity callback with a print and it didn't work, it returned the same error, I realized that the error is only in the await function Talsec.instance.start(fconfig );, when commented out and not initializing the package there are no problems, or when removed completely. I use get_storage and flutter_secure_storage, one starting before the other after; I tried initializing both before and both after initializing the package and it didn't work either. Does this sec try to access or record something with shared_preferences on the cell phone? Or do you think that any of these packages influence anything in freerasp? Another important detail, I'm using the certHash provided as an example, could this be it?

kauemurakami commented 7 months ago

I restarted my branch and tried to reimplement it as the first thing in my code, in addition to the previous error I received this, maybe I can help. With same code of the configs and callback; Implementation how first method before another configs 

WidgetsFlutterBinding.ensureInitialized();
  final TalsecConfig freraspConfig = await freeraspConfig();
  Talsec.instance.attachListener(freeraspCallback());
  await Talsec.instance.start(freraspConfig);
....
 App integrity
E/TestLibrary(26387): Talsec logging failed first time with CURLEcode: 28 Timeout was reached
E/TestLibrary(26387): Response was:
E/TestLibrary(26387): Talsec error logging failed with CURLEcode: 28 Timeout was reached
E/TestLibrary(26387): Response was:
E/TestLibrary(26387): Talsec logging failed second time with CURLEcode: 28 (Timeout was reached)
E/TestLibrary(26387): Talsec logging failed first time with CURLEcode: 28 Timeout was reached
E/TestLibrary(26387): Response was:
E/TestLibrary(26387): Talsec error logging failed with CURLEcode: 28 Timeout was reached
E/TestLibrary(26387): Response was:
E/TestLibrary(26387): Talsec logging failed second time with CURLEcode: 28 (Timeout was reached)
I/flutter (26387): onUnofficialStore
E/TestLibrary(26387): Talsec logging failed first time with CURLEcode: 28 Timeout was reached
....
msikyna commented 6 months ago

Hello @kauemurakami ,

no, this issue means that the logging endpoint had a timeout. However, I see that you get callbacks for "App integrity" and "onUnofficialStore", therefore the SDK initialized and performed checks.

And how does the "certHashes" you are passing into the signingCertHashes look exactly? If it is an array of strings, could you pass it like: signingCertHashes: certHashes?

Kind regards, Talsec team

github-actions[bot] commented 5 months ago

This issue has been labeled as stale because it has been for 14 days without any activity.

github-actions[bot] commented 4 months ago

Hello! This issue has been closed. If you believe this issue is still relevant and requires attention, please reopen the issue.

rakesh0689 commented 4 months ago

Hi @talsec-app team, Are there any specific reasons why this issue is happening.. I am using FreeRasp 6.6.0 and while running my app for the first time this error is being thrown and FDreerasp doesnt detect anything (even if device is rooted). But when we hot restart then Talsec.instance.start(fconfig) is executed without any issues. In prodcution also this issue is there. In my callback i am not exiting the app - example : onDeviceBinding: () { isAppSecure.value = false; threatText.value = 'Device Binding has been compromised.'; }, Since Talsec.instance throws error isAppSecure.value is not set; I am using a rooted physical device as well. Any help would be greatly helpful.

AwaisQazii commented 1 month ago

any updates? org.xmlpull.v1.XmlPullParserException: Unexpected end of document on app installation