talsec / Free-RASP-Flutter

Flutter library for improving app security and threat monitoring on Android and iOS mobile devices.
https://github.com/talsec/Free-RASP-Community
MIT License
194 stars 20 forks source link

The package is susceptible to smali changes. #87

Closed reyesmfabian closed 10 months ago

reyesmfabian commented 1 year ago

It is possible to bypass detection by making a modification to Android smali files, which allows bypassing all protection.

EXPECTED RESULT

Using a locally generated APK in release mode with a valid certificate different from the official store:

Untitled

As you can see the detection is performed correctly and the controls are applied.

NOT EXPECTED RESULT

It is possible to modify the smali code of the Android version by changing the strings and thus circumvent all the controls.

Untitled

As you can notice when repacking the application with these changes the controls are not effective.

Is there any solution for this behavior?

Please complete the following information:

xprikryl2 commented 1 year ago

Hi @reyesmfabian,

This behavior is intentional and by design of freeRASP. The Commercial Version of Talsec RASP+AppiCrypt SDK has solutions to address these issues in its design.

These are:

The freeRASP provides a simple public interface that notifies the developers about detected threats without any need to be dependent on 3rd party services, and as you've highlighted above, there are some limitations to this approach. In general, hardcoded security measures (like in whatever RASP) can always be disabled or bypassed if the reverse engineer has enough time to understand the code. We are aware of this intrinsic limitation. Nevertheless, we partially mitigate it by forcing obfuscation techniques on our clients that prevent the usage of automated scripts.

In the context of RASP, for security measures to be truly effective, they need to be integrated tightly into the application's architecture. It's best practice to move the security evaluation to the server side (attestation). But this approach comes with a far more complicated integration process that can also differ for various technology stacks and platforms. If you are interested in this more secure approach, please contact us with a Demo or meeting request, and we can further elaborate on your case.

Security is an ongoing process, and we are committed to improving our product's security features. We appreciate your input and encourage further discussion on these topics. Please feel free to share any additional insights, suggestions, or concerns.

Best regards, Talsec Team

reyesmfabian commented 1 year ago

Thank you very much for your answer, do you think something can be done for the freeRasp version in this regard? As indicated in the evidence it is extremely easy for a person with half knowledge to perform a complete bypass of the entire security solution, therefore, really this add-on would not be very useful. It occurs to me for example to try to obfuscate those variables in some way, or not to depend on a simple string for the correct detection of the whole solution.

Nice to greet you

JoshiJoshiJoshi commented 1 year ago

Hi @reyesmfabian,

This behavior is intentional and by design of freeRASP. The Commercial Version of Talsec RASP+AppiCrypt SDK has solutions to address these issues in its design.

These are:

  • Configurable app-kill within SDK, implemented at the low level of SDK.
  • AppiCrypt. Cryptografical proof of RASP+ functioning and zero-trust concept. This is the RASP-based cryptogram that is delivered to the Backend as an HTTP header parameter and verified by the backend to prevent calls from compromised clients.

The freeRASP provides a simple public interface that notifies the developers about detected threats without any need to be dependent on 3rd party services, and as you've highlighted above, there are some limitations to this approach. In general, hardcoded security measures (like in whatever RASP) can always be disabled or bypassed if the reverse engineer has enough time to understand the code. We are aware of this intrinsic limitation. Nevertheless, we partially mitigate it by forcing obfuscation techniques on our clients that prevent the usage of automated scripts.

In the context of RASP, for security measures to be truly effective, they need to be integrated tightly into the application's architecture. It's best practice to move the security evaluation to the server side (attestation). But this approach comes with a far more complicated integration process that can also differ for various technology stacks and platforms. If you are interested in this more secure approach, please contact us with a Demo or meeting request, and we can further elaborate on your case.

Security is an ongoing process, and we are committed to improving our product's security features. We appreciate your input and encourage further discussion on these topics. Please feel free to share any additional insights, suggestions, or concerns.

Best regards, Talsec Team

Can you provide an APK using your commercial version to prove your claims? Every security issue that has been reported so far has been responded back that the commercial version is not affected by it.

talsec-app commented 1 year ago

Hello @JoshiJoshiJoshi,

We acknowledge @reyesmfabian 's work and others who have conducted their own investigations into the internals, and we are actively researching ways to improve in this area as well. Uploading the commercial APK here is not our preferred option. As mentioned in the previous response, we can schedule a session to showcase our commercial solutions. Please book a time slot on the calendar.

Kind regards, Talsec Team

syakymchuk commented 1 year ago

Can you provide an APK using your commercial version to prove your claims? Every security issue that has been reported so far has been responded back that the commercial version is not affected by it.

Hi @JoshiJoshiJoshi, would you mind contacting me directly we will give you the APK. But I want to contact you to explain how we protect the Mobile Solution with the help of AppiCrypt and other features that rely partially on the backend part to link the App logic and integrity with backend-based features.

Link for contact here or on the https://talsec.app

SirionRazzer commented 10 months ago

freeRASP v6.4.0 improves reaction obfuscation making the life of an attacker harder. New reaction obfuscation should address the described type of attacks adequately.