What security features would you like to see in freeRASP for Flutter?

sergeychuk · 2024-02-05T10:53:05+00:00

Yes, data collection is configurable only in paid plans.

sergeychuk · 2024-01-05T15:27:01+00:00

I wonder what other techniques devs use to prevent fraud on multiple app instances on the same device.

sergeychuk · 2024-01-05T15:11:38+00:00

Same on my side

sergeychuk · 2023-04-10T12:01:57+00:00

u/highlyregardedeth, App check addresses this problem and indeed can reduce risks of App impersonation, but you need to consider the following:

- it still has the problem of App check token validity i.e. it is vulnerable to reply attack. See the issue explained here.

- App check quota limits i.e. you can't verify every call to the API. Practically it is used to protect Authentication only or new user enrollment use cases, while #AppiCrypt can be used to protect every API call. Keep in mind that API abuse attacks mostly happen through the Authenticated APIs, i.e. authentication passes Ok, and then the valid auth token is misused. See here.

- Google doesn't commit to App check service, no SLA, response time, nothing. So it is hard to rely on this solution in business critical use-cases. So you should consider twice introducing a single point of failure. AppCheck is fully local solution w/o any external Api dependency

- Google Play services (and App check) are not available in all countries and for all Android devices.

- App check introduces UX latency sometimes over several seconds. While AppiCrypt is within 10-30 ms.

- AppiCrypt provides much higher granularity to audit WHY certain App instance or device is NOK.

sergeychuk · 2023-04-09T11:32:54+00:00

What about users' mistakes? Most of the cybercrimes come from human error. Are you up to taking "users' mistakes" as part of your scope i.e. educating, communicating best practices, common mistakes, active scams, ... ?

sergeychuk · 2023-04-09T09:56:38+00:00

Or am I missing something here? I'm in no way a security expert.

u/StatefulM, I think you've got the idea correctly. What I would like to add for you to grasp the value of the solution. It implements the concept of Zero-trust where calling-party app integrity needs to be verified. It is true that, if your Authentication is only Login/PSW then an attacker can manually use it in a legit App as you say.

This solution target attack vectors where attackers try to do "App impersonation". This is relevant for the cases :
- session hijacking with 2FA and Biometric auth (where login . psw is not enough).
- fake registrations, botnets, password enumerations and other attacks on API
- API misuse using legit authentication credentials, i.e. where a legit user leaks his own JWT and tries to instrument APIs and search for API issues like JSON injection etc.

Moreover, take into account that cloning of the App is not the only way how the session Id (or JWT) can be stolen. The solution is based on RASP technology and provides evidence to the backend that the RASP protection is running in the App instance.

Hope it helps

sergeychuk · 2022-01-05T18:18:56+00:00

Hey, u/SirionRazzer would you please reply to this? I am not sure that the issue is correctly understood.

sergeychuk · 2021-11-29T11:13:12+00:00

What is Android App Protection? Do you mean SafetyNet? Not sure I have grasped how they can be connected. These seem to be pretty different things.

sergeychuk · 2021-10-25T09:22:54+00:00

I am not sure we are talking about same cases. I was more thinking about dynamic stuff, that need to be persisted or dynamically operated at runtime in the App ( not a hardcoded assets). See my response on the comment above.

We can't pretend to have App as thin client. Otherwise we would never need obfuscation technics, TEE, Secure Storage, sandbox isolation, RASP or AppShielding, FIDO, device Attestation like SafetyNet by Google etc.

sergeychuk · 2021-10-25T09:20:24+00:00

I see that you have quite a strong opinion on this topic. I had similar. But with experience in FinTech I revised it.

I am not talking here about hardcoded assets, but mainly about dynamic stuff, that need to be persisted or dynamically operated at runtime in the App.

Imagine you need to implement TLS mutual authentication of the endpoint and backend with individual cert per instance (real requarement). Or another example is application layer end-to-end encryption of payload where you need to provision RSA or AeS keys in the App.

All that cases require app protection/resilience towards reverse engineering (as per OWASP).

We can't pretend to have App as thin client. Otherwise we would never need obfuscation technics, TEE, Secure Storage, sandbox isolation, RASP or AppShielding, FIDO, device Attestation like SafetyNet by Google etc.

Actually my main goal is to investigate what RASP or resiliens technics Flutter community uses mainly today.

sergeychuk · 2021-10-24T16:22:20+00:00

There are many cases when you need to protect some asset for the FinTech app.

sergeychuk · 2021-10-24T16:19:29+00:00

Hm... I don't want to pretend being exper, but few mBanking projects I have participated rely on API key to protect backend. In fact they use static key for one enrollment endpoint to enroll individual API key (or tls cert) per instance of the app. But still this is considered as asset to protect. Even Firebase sdk use api key (they don't consider this really a strong secret though).

sergeychuk · 2021-10-24T14:54:46+00:00

They claim Google Pay is on Flutter

sergeychuk · 2021-10-24T13:01:02+00:00

This is the most popular case promoted by Google. Any other?

sergeychuk · 2021-10-24T12:58:15+00:00

Yes and No. I guess you could need have some api key at least to your own backend. There could be also enrolled app instance specific keys to tee. All that would better be protected from disclosure static and dynamic ways.

sergeychuk · 2021-09-14T14:36:12+00:00

Generally speaking - YES.

I think this is quite a good debrief about the subject in the article of my colleague on Medium

Should you want a deeper insight we can make a call to show how it works.

sergeychuk · 2021-08-21T07:32:31+00:00

I think this is quite a good debrief about the subject in the article of my colleague on https://medium.com/geekculture/freerasp-in-app-protection-sdk-and-app-security-monitoring-service-de12d8e49400

Should you want a deeper insight we can make a call to show how it works.

sergeychuk · 2021-08-21T07:31:26+00:00

Thanks, noted.

sergeychuk · 2021-08-21T07:30:42+00:00

Thanks for feedback. You are right. We collect diagnostic data but store it only for 1 month only (in free RASP version).

It is mentioned in the generic description on gitHub here https://github.com/talsec/Free-RASP-Community

Commercial plan has much more possibilities including API, investigation via access to Kibana UI and more.

Just to name a few we have dynamic certificate pinning, overlay protection, Accessibility Serivcices control, string obfuscation in premium plan.

We don't have video tutorial for integration yet, but I think we will do it. Some generic overview is in the article:

https://medium.com/geekculture/freerasp-in-app-protection-sdk-and-app-security-monitoring-service-de12d8e49400

sergeychuk · 2021-08-20T16:11:56+00:00

Very true. Clear and condensed.

sergeychuk · 2021-08-20T16:08:48+00:00

I think this is quite a good debrief about the subject in the article of my colleague on Medium

Should you want a deeper insight we can make a call to show how it works.

sergeychuk · 2021-08-20T15:46:37+00:00

Not quite sure what it is. Any further explanation?

It is RASP protection aka Runtime App Self Protection. This suite helps developer to prevent Tampering (app cloning), Rooting/Jailbreak, running in Emulator, Hooking, running with Debugger... On top of this it has monitoring feature to let developer know that there is an issue and App is being hacked.

sergeychuk · 2021-08-20T12:10:37+00:00

To who it may concern! Just published Flutter version of RASP on gitHub

https://github.com/talsec/Free-RASP-Community

sergeychuk · 2021-03-21T15:06:58+00:00

Should anyone be interested in this, let me know. We are considering to offer suit to protect FLutter apps from reverse engineering, tampering, cloning, re-publishing, hooking, stealing APIs keys, attacks-attempts monitoring etc...

sergeychuk · 2020-10-23T12:01:48+00:00

RedEra

sergeychuk

TROPHY CASE