LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • 🚀A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps 🛡️
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • 🔒 Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube
On this page
  • Malicious plugin can remove other plugins at runtime
  • How can you secure your app?
  • How do we secure our solution?

Was this helpful?

  1. articles

🔒 Flutter Plugin Attack: Mechanics and Prevention

PreviousSecure Storage: What Flutter can do, what Flutter could doNextProtecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft

Last updated 5 months ago

Was this helpful?

Did you know that you can remove plugins dynamically from a Flutter app on Android?

During the implementation of a new feature on freeRASP (more about it ), we noticed that unregistering of plugins is possible using the class. While it may seem unimportant, we decided to push the limits and explore potential attack vectors tthat could lead to the complete disabling of plugins from an external source. As a result, we conducted a small check of the plugin architecture security on Flutter. During this investigation, we discovered what we consider to be a serious problem.

Malicious plugin can remove other plugins at runtime

// Standard callback for every Flutter plugin on Android
override fun onAttachedToEngine(flutterPluginBinding: FlutterPlugin.FlutterPluginBinding) {
    // Let's remove them all
    flutterPluginBinding.flutterEngine.plugins.removeAll()
}

If you have a class reference available, you can also selectively remove specific plugins:

override fun onAttachedToEngine(flutterPluginBinding: FlutterPlugin.FlutterPluginBinding) {
    // Registering plugin
    flutterPluginBinding.flutterEngine.plugins.remove(PoorPlugin::class.java)
}
// We are now at the app level
class MainActivity : FlutterActivity() {
    // Standard Android lifecycle method - called when the app starts
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Removing all plugins
        flutterEngine?.plugins?.removeAll()
    }
}

How can you secure your app?

You can follow these measures if you want to make sure, that your code is protected againsts such attacks:

🔒 Opt for reputable plugins — Choose well-maintained plugins with a considerable number of likes and positive user feedback.

🔒 Inspect the plugin’s source code — Take a closer look at the codebase for any suspicious lines or potential vulnerabilities.

🔒 Always obfuscate your application — Apply obfuscation techniques to make your app less readable and more obscure.

How do we secure our solution?

RASP (Runtime Application Self Protection) Security technique that actively defends application by real-time controlling the security state of the device, integrity of the OS and App.

For context, AppiCrypt is an app attestation tool that protects your API by generating a cryptogram — information about the security state of the device, which is then used in the request header. The backend then checks the cryptogram to determine whether the device is compromised and decides whether to allow or deny the request.

Since the plugin cannot generate a cryptogram (CryptogramFailureException is thrown due to the PlatformExceptionthrown by MethodChannel), the app can be considered untrustworthy. Without a cryptogram, you cannot make network requests backed by AppiCrypt.

Therefore, as a security measure, we can also add:

🔒 Dynamically validate plugin functionality — If the plugin throws a PlatformException, it can indicate that it is unable to communicate with the native side.

While it won’t directly tell you that the plugin has been disconnected, it can give a hint that something unusual is going on.

Stay safe and code with confidence! 💪

Written by Jaroslav Novotný — Flutter developer

In Flutter, the class plays a crucial role in managing plugins. The generated GeneratedPluginRegistrant class utilizes it to register plugins, which are then executed during startup. However, you have the flexibility to create your own plugins, acquire plugin instances, and even unregister plugins if needed. Therefore you can create plugin which removes other plugins:

This can even be also achieved directly from your app’s MainActivity on Android (which extends FlutterActivity) without the need for malicious plugin. By leveraging a bit of reverse engineering and code injection (similar to what we discussed in our ), you can achieve this:

We faced the same issue at Talsec (link), while trying to hack our own products + and which are critical security components and should have maximum resilience. Finding at least a partial solution was very important to us. In our RASP solution, (coincidentally) solves this problem.

FlutterEngine
recent article
RASP
freeRASP
AppiCrypt
here
FlutterEngine