search

talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
194 stars 20 forks source link

onSecureHardwareNotAvailable false positives with freeRASP 6.0.0 #77

Closed olexale closed 1 year ago

olexale commented 1 year ago

Describe the bug We are getting many onSecureHardwareNotAvailable callbacks on Android with freeRASP 6.0.0 on devices that work fine with freeRASP 5.0.4. I assume they are false positives caused by some changes in the latest update.

To Reproduce Upgrade to freeRASP 6, run the app.

Expected behavior freeRASP doesn't trigger this event.

Please complete the following information:

msikyna commented 1 year ago

Hello @olexale ,

thank you for reporting this issue! We are looking into it at this moment.

Kind regards, Talsec team

xprikryl2 commented 1 year ago

Hi @olexale,

We located one bug regarding this issue, but it only occurs on Android 12 and 13. For API 31 and above, we used this new flag that should indicate whether the device has a hardware keystore. The flag return value is not consistent with the [KeyInfo#getSecurityLevel()](https://developer.android.com/reference/android/security/keystore/KeyInfo#getSecurityLevel()) that we used before. We reverted this change, and the bug should be fixed.

For API 30 and below, the functionality remains the same. We are still using the same method [KeyInfo#isInsideSecureHardware()](https://developer.android.com/reference/android/security/keystore/KeyInfo#isInsideSecureHardware()). I tried to look into the logs for any outliers, and my first assumption is that the device you mentioned does not have hardware-backed keystore. Unfortunately, I wasn't able to find any official list or documentation that would support this hypothesis, and we do not have this device available to test it.

image We will continue with this investigation. If you have this issue on other devices (API 30 and below) and could provide us with a list of these devices, it would be very helpful.

Best regards, Talsec team

msikyna commented 1 year ago

Hello @olexale ,

a new version v6.1.0 fixing the issue has been released. It is also released on pub.dev.

Kind regards, Talsec team

olexale commented 1 year ago

Hello @msikyna,

We will give it a try soon. I'll get back to you with the results. Thank you!

Kind regards, Oleksandr

msikyna commented 1 year ago

Hello @olexale , does the issue still persist? Our data implies that it has been fixed.

Kind regards, Talsec team

olexale commented 1 year ago

Hello @msikyna,

Thanks for getting back! I don't see this error in recent logs, so I assume it is fixed.

Best regards, Oleksandr