LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • 🚀A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps 🛡️
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • 🔒 Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube
On this page
  • The popularity of the hybrid app development
  • Hybrid app security and freeRASP
  • freeRASP for Cordova
  • How does it work under the hood?
  • Android
  • iOS
  • Cordova
  • Customisation, demo application and distribution
  • Next steps

Was this helpful?

  1. articles

freeRASP meets Cordova

PreviousHow to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)NextPhilosophizing security in a mobile-first world

Last updated 4 months ago

Was this helpful?

Highly recognized freeRASP SDK providing app protection and threat monitoring for mobile devices arrived in the Cordova ecosystem! This article will help you understand runtime application self-protection, explore freeRASP capabilities, and shield your app against threats!

The popularity of the hybrid app development

The popularity of hybrid platforms continues to grow, and companies have adopted them widely. They allow developers the possibility of writing the code once and reusing it on both Android and iOS native platforms. Often, the development of such apps costs less time and resources. Nowadays, there are many popular hybrid platforms (e.g., Flutter, React Native, Ionic, Cordova, or Xamarin).

Hybrid app security and freeRASP

Cross-platform development frameworks, in general, suffer when native platform-specific problems need to be solved and security has to be handled. In addition, hybrid platforms can introduce more specific issues. Sacrificing security to be able to do cross-platform development is a no-go.

“What should the developers do?”

“But developing such solutions is quite expensive, right?”

“What does freeRASP have to do with all of this?”

freeRASP for Cordova

freeRASP for Cordova is a mobile in-app protection and security monitoring plugin. It aims to cover the main aspects of RASP (Runtime App Self Protection) and application shielding.

It is designed to combat:

  • Reverse engineering attempts (debugging, running in emulators, hooking)

  • Re-publishing or tampering with the apps

  • Running an application in a compromised OS environment (root/jailbreak)

  • Malware, fraudsters, and cybercriminal activities

“How can I use it?”

It is as easy as doing a minor prerequisite and adding a plugin to the application. Then you rely on freeRASP to protect your app. You can handle any threat that will be detected (e.g. attached debugger to the app) on your own, for example, by killing the application.

As Talsec uses Kotlin and Swift for the implementation of the native side, there is a minor prerequisite which must be done before adding the plugin.

  • Kotlin must be enabled, and the version must be set up in the config.xml file

  • A swift support plugin must be added

Next, you define a threat listener function, in which you can handle the detected threats as you wish, for example, killing the application, notifying the user that a threat has been detected or just ignoring the threat. The threat listener:

var threatListener = function(threatType) {
    switch(threatType) {
        case "privilegedAccess": // Android & iOS
            // TODO place your reaction here
            break;
        case "debug": // Android & iOS
            // TODO place your reaction here 
            break;
        case "simulator": // Android & iOS
            // TODO place your reaction here
            break;
        case "appIntegrity": // Android & iOS
            // TODO place your reaction here
            break;
        case "unofficialStore": // Android & iOS
            // TODO place your reaction here 
            break;
        case "hooks": // Android & iOS
            // TODO place your reaction here
            break;
        case "device binding": // Android & iOS
            // TODO place your reaction here
            break;
        case "deviceID": // iOS only
            // TODO place your reaction here 
            break;
        case "missingSecureEnclave": // iOS only
            // TODO place your reaction here
            break;
        case "passcodeChange": // iOS only
            // TODO place your reaction here 
            break;
        case "passcode": // iOS only
            // TODO place your reaction here
            break;
        default:
            console.log('Unknown threat type detected: ' + threatType);
    }
}

freeRASP can be started after the Cordova initialization is completed. The initialization should be done inside the onDeviceReady function in index.js:

talsec.start(config, threatListener).then(() => {
    console.log('Talsec initialized.');
}).catch((error) => {
    console.log('Error during Talsec initialization: ', error);
});

As the last step, you need to differentiate the dev and release versions of the library. The dev version is designed not to complicate the development process of the application (e.g. if you would implement killing of the application on the debugger callback). It disables some of the detections. On Android, it is handled automatically, whereas, on iOS, the step is a matter of adding a pre-built script into the run phases and embedding a symlink to the correct framework. Do not worry, it is quite easy ;)

How does it work under the hood?

Android

It contains a Gradle file, which contains the dependency for the Android freeRASP repository.

It also contains a TalsecPlugin.kt file, which provides the API to the freeRASP for communication with Cordova. It parses the configuration input given from index.js, registers the threat listener and starts the detection. If any threat occurs, it sends a message back to the index.js to the threatListener function. If any error or incorrect input occurs, it sends back an error message to the index.js.

iOS

It contains built binaries (both Debug and Release versions) of the freeRASP iOS library.

It also contains a bridging header for the Objective-C -> Swift bridge. The TalsecPlugin.swift file is similar to the Android’s TalsecPlugin.kt. Moreover, it uses a static object to preserve the state of the delegate given by Cordova for sending messages.

The iOS version also contains an after_plugin_add script to create a symlink to one of the built binaries (default is Debug) at the correct place. You guessed it right! This is the symlink used in the integration step, which is recreated after changing the Debug <-> Release build of the application.

Cordova

It contains a simple Promise, which passes the configuration from index.js to respective native implementations and returns back a success or error message.

module.exports = {
   start: function (config, eventListener) {
     return new Promise((resolve, reject) => {
       cordova.exec(
         (success) => {
           if (success != null && success == "started") {
             resolve();
           }
           else {
             eventListener(success);
           }
         },
         (error) => {
           reject(error);
         },
         "TalsecPlugin", "start", [config]
       );
     })
   }
};

Customisation, demo application and distribution

The plugin is designed to be used easily without the modification of the native parts. The reactions to threats can be modified in the index.js easily in the threat listener, and configuration is also passed from index.js.

However, you can set up the configuration, threat listener and initialisation also from the native parts and not interact with index.js at all, for example, if you would prefer using a “native way” of killing the application.

Next steps

Security is essential, even though we tend to forget about it when it comes to hybrid platform applications. However, the freeRASP solution is not bulletproof.

In the freeRASP, it’s up to the developer to implement the reaction for the individual threats (e.g., root, debug, simulator, device binding), and because each developer can implement their own logic for detected threats (e.g., step-up authentication, business logic flow modification, killing the application), we need to provide API for the callback, so they can implement their own logic.

The javascript part of the application tends to be more vulnerable to manipulation/injection/tampering, and it would be better to start Talsec in the native part of the code. However, even the reaction on the native side can be easily modified or stripped by an experienced attacker.

written by Matúš Šikyňa, Developer at Talsec

First of all, ensure that the applications follow the standards for mobile app security () for the native parts. Besides security requirements for the architecture, data storage, or network communication, the application should be secured with advanced security solutions such as runtime application self-protection (RASP) to protect against tampering, distribution via an unofficial way or the app being run in a compromised environment.

Right, it is pretty expensive to develop it in-house. Luckily, there are companies which can handle the problem for you. Moreover, there are !

In the past, we have observed a strong growth in the popularity of Flutter and chose it as our first contact with cross-platform development. We apps and developed a , which has been a great success and the developers’ feedback vastly improved our product.

Since releasing a freeRASP for Flutter, there have been a number of developers asking whether we can support other platforms. While some of them have successfully integrated the native versions with some of the frameworks, there were problems using it with the Cordova framework. We decided to take a closer look and develop an easy-to-integrate plugin to make Cordova developers’ lives easier. And that’s how was born!

After that, you can easily add the plugin to your application. After initial importing, you set up an initial configuration (package name, signing certificate hash, bundleId, teamId) to have freeRASP detect some of the threats correctly. You also need to provide a mail address to which will be sent.

freeRASP for Cordova is composed of freeRASP and counterparts.

We have prepared a which integrates the plugin. It shows the state of the threats with simple visualisation: green: OK, red: NOK (a threat happened). The threat listener is implemented in index.js. If a threat is detected, it changes the backgroundColor of the element corresponding to a given threat to red colour.

Except for the , the plugin is also distributed via NPMJS:

We have multiple solutions (pre-configured custom build SDK, in-SDK reactions and killing mechanism, AppiCrypt) in our business solution, preventing precisely those types of attacks. To check out what is the difference between freeRASP and Business RASP+, see this page:

| | Read also |

OWASP MASVS
freely available solutions
looked at security issues of the Flutter
freeRASP for Flutter
freeRASP for Cordova
regular security reports
Android
iOS
simple demo application
GitHub repo
https://www.npmjs.com/package/cordova-talsec-plugin-freerasp
https://github.com/orgs/talsec/discussions/5
https://talsec.app
info@talsec.app
5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative
freeRASP — Community-driven In-App Protection and User Safety Suite by Talsec