search

talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
194 stars 20 forks source link

ANR Java_com_aheaditec_talsec_1security_security_Natives_d #138

Closed kreativityapps closed 1 month ago

kreativityapps commented 1 month ago

Describe the bug I can see a huge spike in ANR's in crashlytics in production after updating freerasp from 6.6.0 to 6.7.1

     main (native):tid=1 systid=15749 
#00 pc 0x9fde8 libc.so (__ppoll + 8) (BuildId: 7589cf4bcb5e11ec06c41940bf849449)
#01 pc 0x5c124 libc.so (poll + 92) (BuildId: 7589cf4bcb5e11ec06c41940bf849449)
#02 pc 0x22a7dc split_config.arm64_v8a.apk + 16998400 (BuildId: 668a5160bdf3fa42b7c484aac5bb2a68253e197e)
#03 pc 0x223c8c split_config.arm64_v8a.apk + 16998400 (BuildId: 668a5160bdf3fa42b7c484aac5bb2a68253e197e)
#04 pc 0x1ff154 split_config.arm64_v8a.apk + 16998400 (BuildId: 668a5160bdf3fa42b7c484aac5bb2a68253e197e)
#05 pc 0x1fe3cc split_config.arm64_v8a.apk (Java_com_aheaditec_talsec_1security_security_Natives_d + 828) (BuildId: 668a5160bdf3fa42b7c484aac5bb2a68253e197e)
       at com.aheaditec.talsec_security.security.Natives.b(SourceFile)
       at com.aheaditec.talsec_security.security.Natives.a(SourceFile:81)
       at com.aheaditec.talsec.security.v1.a(SourceFile:1)
       at com.aheaditec.talsec.security.u1$b.b(SourceFile:20)
       at com.aheaditec.talsec.security.u1$b.a(SourceFile:1)
       at com.aheaditec.talsec.security.u1.a(SourceFile:2)
       at com.aheaditec.talsec_security.security.runner.a.b(SourceFile:18)
       at com.aheaditec.talsec_security.security.runner.a.b(SourceFile:149)
       at com.aheaditec.talsec_security.security.runner.a.a(SourceFile:53)
       at com.aheaditec.talsec_security.security.runner.a.a(SourceFile:37)
       at com.aheaditec.talsec.security.t1.a(SourceFile:13)
       at com.aheaditec.talsec.security.t1.a(SourceFile:6)
       at com.aheaditec.talsec_security.security.runner.TalsecMonitoringReceiver.onReceive(SourceFile:11)
       at android.app.LoadedApk$ReceiverDispatcher$Args.lambda$getRunnable$0$LoadedApk$ReceiverDispatcher$Args(LoadedApk.java:1697)
       at android.app.LoadedApk$ReceiverDispatcher$Args$$ExternalSyntheticLambda0.run(unavailable:2)
       at android.os.Handler.handleCallback(Handler.java:938)
       at android.os.Handler.dispatchMessage(Handler.java:99)
       at android.os.Looper.loopOnce(Looper.java:201)
       at android.os.Looper.loop(Looper.java:288)
       at android.app.ActivityThread.main(ActivityThread.java:7881)
       at java.lang.reflect.Method.invoke(Native method)
       at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:568)
       at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1045)

To Reproduce I can't reproduce it locally, it's only in the logs from production

Expected behavior No ANR

Screenshots No screenshots

Please complete the following information:

Additional context The bug was probably introduced in 6.7.0 or 6.7.1

abhijeetnapses commented 1 month ago

Getting same, here's log

main (native):tid=1 systid=21284 
#00 pc 0xb1cac libc.so (__ppoll + 12) (BuildId: f93a8a2b8acdd38006769d7dffc74c6b)
#01 pc 0x6a5cc libc.so (poll + 96) (BuildId: f93a8a2b8acdd38006769d7dffc74c6b)
#02 pc 0x22a7dc split_config.arm64_v8a.apk + 11935744 (BuildId: e5c5646ee3d0e380efa2ff993b617a1365d6876c)
#03 pc 0x223c8c split_config.arm64_v8a.apk + 11935744 (BuildId: e5c5646ee3d0e380efa2ff993b617a1365d6876c)
#04 pc 0x1ff154 split_config.arm64_v8a.apk + 11935744 (BuildId: e5c5646ee3d0e380efa2ff993b617a1365d6876c)
#05 pc 0x1fe3cc split_config.arm64_v8a.apk (Java_com_aheaditec_talsec_1security_security_Natives_d + 828) (BuildId: e5c5646ee3d0e380efa2ff993b617a1365d6876c)
       at com.aheaditec.talsec_security.security.Natives.d(Native method)
       at com.aheaditec.talsec_security.security.Natives.c(SourceFile:16)
       at e6.v2.a(SourceFile:17)
       at e6.p2$b.g(SourceFile:89)
       at e6.p2$b.e(SourceFile:1)
       at e6.p2.c(SourceFile:28)
       at g6.c.m(SourceFile:23)
       at g6.c.o(SourceFile:13)
       at g6.c.g(SourceFile:35)
       at g6.c.f(SourceFile:2)
       at e6.l2.x(SourceFile:34)
       at e6.l2.y(SourceFile:13)
       at g6.b.onReceive(SourceFile:67)
       at android.app.LoadedApk$ReceiverDispatcher$Args.lambda$getRunnable$0(LoadedApk.java:1897)
       at android.app.LoadedApk$ReceiverDispatcher$Args.$r8$lambda$gDuJqgxY6Zb-ifyeubKeivTLAwk(unavailable)
       at android.app.LoadedApk$ReceiverDispatcher$Args$$ExternalSyntheticLambda0.run(unavailable:2)
       at android.os.Handler.handleCallback(Handler.java:1013)
       at android.os.Handler.dispatchMessage(Handler.java:101)
       at android.os.Looper.loopOnce(Looper.java:226)
       at android.os.Looper.loop(Looper.java:328)
       at android.app.ActivityThread.main(ActivityThread.java:9168)
       at java.lang.reflect.Method.invoke(Native method)
       at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:594)
       at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1099)

Affected devices

97% Vivo

33% V30
27% IQOO Z6 Lite 5G
10% T2 Pro 5G
27% Other (4)
10% IQOO Neo7 Pro
7% V27
7% IQOO Z7s 5G
3% V30 Pro

3% Nothing

3%
Nothing Phone (2a)

OS Android 14 - 100%

Version of freeRASP: 6.7.0

tompsota commented 1 month ago

Hello @kreativityapps, @abhijeetnapses,

thank you for reporting the issue. Can you send us your android package name and watcher email to support@talsec.app so that we can better identify the root cause of the issue?

Thank you.

Tomas from Talsec

furkanKotic commented 1 month ago

This problem started happening to me too. But my IOS users also started reporting complaints. A similar situation to this error may also be happening on the IOS side.

abhijeetnapses commented 1 month ago

For me iOS users were getting false positive privileged access. Downgrade to 6.4.0 works for me!

msikyna commented 1 month ago

Hello @furkanKotic , @abhijeetnapses ,

could please you create the issue in the iOS repository (https://github.com/talsec/Free-RASP-iOS) and elaborate more? The last iOS SDK introduced the Dopamine jailbreak detection. Based on the data, we do not see any unexpected false positives, the current jailbreak ratio is 0,16% of devices.

Kind regards, Talsec team

abhijeetnapses commented 1 month ago

@msikyna few iOS users including me who got the false positive had previously used Dopamine jailbreak, then uninstalled it. Even after rebooting it was detecting a false positive.

msikyna commented 1 month ago

Hello @abhijeetnapses ,

rebooting does not fully remove all traces of the jailbreak. The device is "broken". If you send us an email to support@talsec.app with the exact time of the run, watcherMail, bundle id, team id, device model and os version, we can look at the data and tell you what traces have been left on the device.

msikyna commented 1 month ago

Hello, the issue has been solved in the new version: 6.7.2.

Kind regards, Talsec team