talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
192 stars 19 forks source link

Root detection not working as expected, delayed hook detection #121

Closed shahmharsh closed 3 months ago

shahmharsh commented 3 months ago

Describe the bug I have integrated the freeRasp SDK in my flutter app. I am mainly interested in the root detection and hook detection capabilities. On testing I have observed that I am able to run on my rooted android emulator (no callback), and when I try to dump the memory there is a delay in getting a onHooks callback.

To Reproduce

  1. Here's how I've integrated the SDK

    
    class MyApp extends StatefulWidget {
    const MyApp(this.environment, {super.key});
    final Environment environment;
    
    @override
    State<StatefulWidget> createState() => _MyAppState();
    }

class _MyAppState extends State {

final _callback = ThreatCallback( onHooks: () => _exitApp(), onPrivilegedAccess: () => _exitApp(), );

@override void initState() { super.initState(); _initializeRasp(widget.environment); }

@override Widget build(BuildContext context) { return const MaterialApp( title: 'Demo app', home: SplashPage(), ); }

Future _initializeRasp(Environment environment) async { final config = TalsecConfig( androidConfig: AndroidConfig( packageName: AppConfig.getPackageName, signingCertHashes: [ hashConverter.fromSha256toBase64(AppConfig.androidSha256) ], ), iosConfig: IOSConfig( bundleIds: [AppConfig.getPackageName], teamId: AppConfig.iosTeamId, ), watcherMail: 'test@test.com', // TODO: Update this email address isProd: true, );

Talsec.instance.attachListener(_callback);

await Talsec.instance.start(config);

}

static void _exitApp() async { await SystemChannels.platform.invokeMethod('SystemNavigator.pop'); } }

2. For rooting the emulator, I have used `adb root` command

adb root
adbd is already running as root


3. For heap dump, I am using fridadump and have followed the steps mentioned [here](https://securitygrind.com/dumping-android-application-memory-with-fridump). When I pull the dump, it takes a few seconds for the `onHooks` callback to be called.

Expected behavior

  1. Application should exit as soon as its launched on a rooted device
  2. onHooks should be called immediately (or during execution of) when python3 fridump.py -U -s MyApp is executed

Please complete the following information:

msikyna commented 3 months ago

Hello @shahmharsh,

thank you for reporting the issue, we will look at it.

Kind regards, Talsec team

rakesh0689 commented 3 months ago

I am also facing this issue in my production application and because of that it has affected my new deployment as well. Is there a solution for this issue? I have tried adding a delay after starting the talsec engine but still issue is coming and hooking/root detection can be bypassed using Magisk/Frida etc. If a solution can be provided as soon as possible it will be really helpful.

yardexx commented 3 months ago

Hello @shahmharsh,

Thank you for reporting this issue.

Root Issue After further investigation, I've been able to reproduce the issue with adb root rooting. We will work on a fix for this. Please note that other forms of root detection are not impacted by this bug and will continue to function correctly.

Hooking Issue I've also reproduced the hooking issue. The challenge with this detection is conceptual. freeRASP relies on periodic checks rather than proactive protection due to the nature of mobile platforms. Mobile platforms have limited computing power and energy resources mean that proactive detection could make app slower and/or significantly drain the battery.

freeRASP performs security checks at startup and then periodically after a set interval. This creates a time window that could be exploited for an attack. If you start the app directly with frida, it will be detected. However, if you run the app and then attach frida within this time window, frida won't be detected until the next periodic check.

BusinessRASP+ offers the option to adjust the length of this period, allowing for more or less frequent checks.

We will add this issue to our backlog and work on improvements for the future.

Best regards, Jaroslav from Talsec


Closing this issue and dividing it into bug issue and enhancement issue.