freeRASP meets Cordova
PreviousHow to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)NextPhilosophizing security in a mobile-first world
Last updated
Was this helpful?
Last updated
Was this helpful?
Highly recognized freeRASP SDK providing app protection and threat monitoring for mobile devices arrived in the Cordova ecosystem! This article will help you understand runtime application self-protection, explore freeRASP capabilities, and shield your app against threats!
The popularity of hybrid platforms continues to grow, and companies have adopted them widely. They allow developers the possibility of writing the code once and reusing it on both Android and iOS native platforms. Often, the development of such apps costs less time and resources. Nowadays, there are many popular hybrid platforms (e.g., Flutter, React Native, Ionic, Cordova, or Xamarin).
Cross-platform development frameworks, in general, suffer when native platform-specific problems need to be solved and security has to be handled. In addition, hybrid platforms can introduce more specific issues. Sacrificing security to be able to do cross-platform development is a no-go.
“What should the developers do?”
First of all, ensure that the applications follow the standards for mobile app security (OWASP MASVS) for the native parts. Besides security requirements for the architecture, data storage, or network communication, the application should be secured with advanced security solutions such as runtime application self-protection (RASP) to protect against tampering, distribution via an unofficial way or the app being run in a compromised environment.
“But developing such solutions is quite expensive, right?”
Right, it is pretty expensive to develop it in-house. Luckily, there are companies which can handle the problem for you. Moreover, there are freely available solutions!
“What does freeRASP have to do with all of this?”
In the past, we have observed a strong growth in the popularity of Flutter and chose it as our first contact with cross-platform development. We looked at security issues of the Flutter apps and developed a freeRASP for Flutter, which has been a great success and the developers’ feedback vastly improved our product.
Since releasing a freeRASP for Flutter, there have been a number of developers asking whether we can support other platforms. While some of them have successfully integrated the native versions with some of the frameworks, there were problems using it with the Cordova framework. We decided to take a closer look and develop an easy-to-integrate plugin to make Cordova developers’ lives easier. And that’s how freeRASP for Cordova was born!
freeRASP for Cordova is a mobile in-app protection and security monitoring plugin. It aims to cover the main aspects of RASP (Runtime App Self Protection) and application shielding.
It is designed to combat:
Reverse engineering attempts (debugging, running in emulators, hooking)
Re-publishing or tampering with the apps
Running an application in a compromised OS environment (root/jailbreak)
Malware, fraudsters, and cybercriminal activities
“How can I use it?”
It is as easy as doing a minor prerequisite and adding a plugin to the application. Then you rely on freeRASP to protect your app. You can handle any threat that will be detected (e.g. attached debugger to the app) on your own, for example, by killing the application.
As Talsec uses Kotlin and Swift for the implementation of the native side, there is a minor prerequisite which must be done before adding the plugin.
Kotlin must be enabled, and the version must be set up in the config.xml file
A swift support plugin must be added
After that, you can easily add the plugin to your application. After initial importing, you set up an initial configuration (package name, signing certificate hash, bundleId, teamId) to have freeRASP detect some of the threats correctly. You also need to provide a mail address to which regular security reports will be sent.
Next, you define a threat listener function, in which you can handle the detected threats as you wish, for example, killing the application, notifying the user that a threat has been detected or just ignoring the threat. The threat listener:
freeRASP can be started after the Cordova initialization is completed. The initialization should be done inside the onDeviceReady function in index.js:
As the last step, you need to differentiate the dev and release versions of the library. The dev version is designed not to complicate the development process of the application (e.g. if you would implement killing of the application on the debugger callback). It disables some of the detections. On Android, it is handled automatically, whereas, on iOS, the step is a matter of adding a pre-built script into the run phases and embedding a symlink to the correct framework. Do not worry, it is quite easy ;)
freeRASP for Cordova is composed of freeRASP Android and iOS counterparts.
It contains a Gradle file, which contains the dependency for the Android freeRASP repository.
It also contains a TalsecPlugin.kt file, which provides the API to the freeRASP for communication with Cordova. It parses the configuration input given from index.js, registers the threat listener and starts the detection. If any threat occurs, it sends a message back to the index.js to the threatListener function. If any error or incorrect input occurs, it sends back an error message to the index.js.
It contains built binaries (both Debug and Release versions) of the freeRASP iOS library.
It also contains a bridging header for the Objective-C -> Swift bridge. The TalsecPlugin.swift file is similar to the Android’s TalsecPlugin.kt. Moreover, it uses a static object to preserve the state of the delegate given by Cordova for sending messages.
The iOS version also contains an after_plugin_add script to create a symlink to one of the built binaries (default is Debug) at the correct place. You guessed it right! This is the symlink used in the integration step, which is recreated after changing the Debug <-> Release build of the application.
It contains a simple Promise, which passes the configuration from index.js to respective native implementations and returns back a success or error message.
The plugin is designed to be used easily without the modification of the native parts. The reactions to threats can be modified in the index.js easily in the threat listener, and configuration is also passed from index.js.
However, you can set up the configuration, threat listener and initialisation also from the native parts and not interact with index.js at all, for example, if you would prefer using a “native way” of killing the application.
We have prepared a simple demo application which integrates the plugin. It shows the state of the threats with simple visualisation: green: OK, red: NOK (a threat happened). The threat listener is implemented in index.js. If a threat is detected, it changes the backgroundColor of the element corresponding to a given threat to red colour.
Except for the GitHub repo, the plugin is also distributed via NPMJS: https://www.npmjs.com/package/cordova-talsec-plugin-freerasp
Security is essential, even though we tend to forget about it when it comes to hybrid platform applications. However, the freeRASP solution is not bulletproof.
In the freeRASP, it’s up to the developer to implement the reaction for the individual threats (e.g., root, debug, simulator, device binding), and because each developer can implement their own logic for detected threats (e.g., step-up authentication, business logic flow modification, killing the application), we need to provide API for the callback, so they can implement their own logic.
The javascript part of the application tends to be more vulnerable to manipulation/injection/tampering, and it would be better to start Talsec in the native part of the code. However, even the reaction on the native side can be easily modified or stripped by an experienced attacker.
We have multiple solutions (pre-configured custom build SDK, in-SDK reactions and killing mechanism, AppiCrypt) in our business solution, preventing precisely those types of attacks. To check out what is the difference between freeRASP and Business RASP+, see this page: https://github.com/orgs/talsec/discussions/5
written by Matúš Šikyňa, Developer at Talsec
https://talsec.app | info@talsec.app | Read also 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s | Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative
