1 of 45

AppSec articles

Introduction

Featured AppSec Collections

Mobile and API Threat Detection & Defense (Rooting, Hooking, Reverse Engineering)

Technical articles focused on advanced strategies to detect and defend against mobile threats, including rooting, hooking, reverse engineering, and API abuse.

How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps

Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources

Emulators in Gaming: Threats and Detections

Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise

Detect system VPNs with freeRASP

Safeguarding Your Data in React Native: Secure Storage Solutions

Obfuscation of Mobile Apps

Talsec RASP+, AppiCrypt and freeRASP Guides and Features

This collection highlights cutting-edge tools and resources from Talsec designed to secure mobile apps through runtime application self-protection (RASP), API integrity checks, and anti-abuse measures.

React Native Secure Boilerplate 2024: Ignite with freeRASP

Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative

Introducing Talsec’s advanced malware protection!

Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️

Build secure apps in React Native

Flutter Security

At Talsec, we’re proud to lead the way as the #1 Flutter Security SDK, and our commitment to this growing framework runs deep. This curated collection showcases our ongoing efforts to protect Flutter apps.

OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter

OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter

OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter

OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter

OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart

OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart

Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources

User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE

Secure Storage: What Flutter can do, what Flutter could do

🔒 Flutter Plugin Attack: Mechanics and Prevention

How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)

How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)

How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)

Missing Hero of Flutter World

Reports & Original Research

In-depth reports and original research articles focused on mobile app security, fraud prevention, and API protection.

Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs

How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]

Flutter CTO Report 2024: Flutter App Security Trends

Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention

Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft

5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s

Latest Articles

Articles by our team members and guest experts (become one of them) that explore practical mobile security and threat defense topics for the developer community.

articles

freeRASP for Unity Guide

Protect your Unity mobile game with freeRASP, a free and developer-friendly runtime application self-protection solution for Android and iOS.

🔐 Level Up Your Game’s Security with freeRASP for Unity

In today’s mobile landscape, securing your game isn’t just about protecting profits—it’s about preserving your players’ trust and ensuring fair gameplay. Whether you’re an indie developer or a full-blown game studio, runtime threats like app tampering, emulators, rooting, and unauthorized modifications are real dangers that can undermine your game’s performance and credibility.

That’s where freeRASP for Unity (Android + iOS) comes in.

🎮 Designed with Unity Devs in Mind

Talsec’s freeRASP solution is now natively available for Unity—a game-changer for developers targeting Android and iOS platforms. This early-release plugin empowers teams to effortlessly integrate robust runtime threat detection directly into their Unity-based games.

⚙️ Easy Integration, Powerful Protection

The official Unity plugin streamlines the setup process:

📦 Drag-and-drop installation via .unitypackage
🔐 Custom configuration for Android (via certificate hashes and package names) and iOS (using team identifiers and bundle IDs)
🔁 Real-time threat detection callbacks integrated into your Game.cs or entry-point logic

This makes it simple to respond to threats like:

Emulator use
VPN or system proxy tunneling
Rooting or jailbreaking
Debugging and hooking attempts
Tampering, screen recording, or app repackaging

With built-in detection callbacks, you can proactively respond to these threats by triggering in-game behaviors or alerts that protect your app integrity.

🚀 Why It Matters for Game Developers

While Unity makes multiplatform publishing easier than ever, it also exposes your game to a wide surface area of potential exploits. Mobile cheaters and malicious actors often use rooted devices, simulators, or altered app binaries to bypass normal game logic or manipulate in-game currencies.

freeRASP gives you the armor your game deserves, acting like a security co-pilot as your players navigate your game world.

💡 Ready to Fortify Your Game?

Visit the to get started with installation, configuration, and callback integration. There’s no need to compromise between performance and protection—freeRASP for Unity delivers both.

ApkSignatureKiller: How It Works and How Talsec Protects Your Apps

In this article, we will explore how Android protects against app tampering, discussing not only how ApkSignatureKiller works, but also the mechanisms behind.

Introduction

Ever wondered how your Android phone can tell if that Instagram app you're about to install is the genuine application, or just a sneaky clone repackaged by a hacker with malicious intent? That's where APK signatures come in – they're the digital gatekeepers of the Android app world! Think of them as a high-tech, unforgeable seal of authenticity stamped on every app, verifying its true origin and guaranteeing the code hasn't been illicitly altered since the developer signed off on it. This critical verification happens every time you install or update an app, acting as an invisible shield that ensures the software you're running is legitimate and safe.

How does the Android signature verification work?

Android apk sign verification has mainly two steps:

1. Signing

When development is complete, the developer signs the app using a private key. This process generates a digital signature of the app's contents and embeds the developer's public key certificate within the APK file.

2. Verification

This process is performed by the Android OS on the device before the installation of an app.

First, the Android package manager calculates a cryptographic hash of the APK's contents.
Next, it extracts the developer's public key certificate from the APK and uses it to decrypt the digital signature. This decryption reveals the original hash of the app as calculated by the developer.
Finally, the hash calculated on the device is compared to the developer's original hash . If they match, it confirms that the APK's contents have not been tampered with since it was signed.

To prevent anyone from bypassing this verification mechanism, Android utilizes several signature schemes. The primary difference between them is how they sign the application and store the resulting data inside the APK:

v1 (JAR Signing): This original scheme individually signed each file within the APK and stored the signature data inside the META-INF/ directory (e.g., MANIFEST.MF`, `CERT.SF ). This method was computationally slow and had a critical flaw: it did not verify the entire APK file. Sections like the ZIP metadata were left unsigned, creating an attack vector where malicious code could be injected into the APK without invalidating the signature.
v2 Scheme: Introduced in Android 7.0, this scheme verifies the entire APK file as a single blob. The signature is stored in a dedicated APK Signing Block, located just before the ZIP Central Directory . This approach is significantly faster and closes the vulnerabilities present in the v1 scheme. However, this scheme did not originally support signing key rotation, meaning a developer could not change their signing key without breaking updates for their app.
v3 Scheme: Introduced in Android 9.0, this scheme is very similar to v2 but adds support for signing key rotation . It includes an attribute in the APK Signing Block that holds a history of signing certificates. This allows developers to change their app's signing key while enabling the app to be verified using either the new or older keys, ensuring seamless updates.
v4 Scheme: This scheme was introduced to support streaming installs, allowing for parts of an app to be used before the entire APK is downloaded. For v4 signing, a Merkle hash tree of the APK's contents is calculated, and its root hash is stored in a separate file named .apk.idsig . This allows for the incremental verification of individual blocks of the file as they are streamed to the device.

The methods employed by ApkSignatureKiller are the modern versions of critical vulnerabilities of Android signature verification process.

1. The famous Master-Key vulnerability: This critical vulnerability exploited a discrepancy in how Android handled ZIP archives . An attacker could include two files with the same name within an APK. The package installer would process one file when verifying the signature, while the Dalvik/ART runtime would execute the other, malicious file. This allowed an attacker to inject and execute arbitrary code within a validly signed application, effectively bypassing the v1 signature check.

2. The Janus vulnerability: This vulnerability specifically targeted the v1 signature scheme. An attacker could prepend a malicious DEX file to the beginning of a legitimate, signed APK file. Because the v1 signature verifier would check the integrity of the ZIP entries but ignore the header of the file, it would still validate the application as authentic. However, the Android runtime would see the malicious DEX file at the start and execute its code, effectively running a malicious payload while the app appeared legitimate. This is simlar to the methods used to bypass v1 signature scheme by the apkSignatureKiller application .

The ApkSignatureKiller

The infamous ApkSignatureKiller application actively bypasses Android's entire signature verification system. This capability is frequently exploited to tamper with critical applications, such as banking apps, which are then used on a device, creating a major security headache for developers who rely on signature checks to ensure app integrity.

Let us take an example of an Android app signed by v1 signature scheme named victimApp2 :

We can also check which signature schemes are verified inside a fully built apk using apksigner tool. This shows that the apk has been signed using the v1 signature scheme.

Now let's try to install the apk inside the Android emulator with < Android 7.0 to ensure that we are able to install apk with just v1 signature scheme. With v1 scheme enabled we are easily allowed to install the apk on the device.

Now let's try the same with the unsigned apk on the same device. This tells us that the apk is unsigned and cannot be verified. The device also denies to download the unsigned application.

Here enters the ApkSignatureKiller who changes everything. Now let's just hook and modify our signed installed application using the ApkSignatureKiller. For this we have to push our signed application into the directory that can be accessed by the ApkSignatureKiller app just like the external storage directory.

Let's open our evil app

Now just choose the signed app from the external directory and then press the Hook button.

Press Install and guess what we are able to install the app with the killed signature verification mechanism.

We can also verify if our new app has been actually modified or not.

This shows that an unsigned, tampered application can be installed on a device without being detected by Android's security mechanisms. It proves that by using this method, it's possible to alter an app, recompile it, and install it without a valid signature, leaving the app's contents completely vulnerable.

To keep this article straightforward and easy to understand, I have used a simple demo application and focused on bypassing only the v1 signature scheme. However, it is crucial to understand that modern versions of ApkSignatureKiller and similar tools, are capable of bypassing the much more secure signature schemes. This makes them some of the most dangerous tools in the hands of attackers today.

Working of ApkSignatureKiller

But some of you with inquisitive minds might wonder: How does this tool actually work? How is it able to bypass the signature verification on an Android device ? 🙁

To bypass the signature check, the tool doesn't just remove the signature; it employs a more deceptive technique. It injects its own malicious code into the target application by hooking the specific part of the Android framework responsible for verifying an app's integrity. This injected code then intercepts the verification process and falsely reports to the system that the APK is still securely signed, even though its original signature has been stripped and its contents have been altered.

These are the methods used by it to hook the application and remove its signature file.
It basically hooks the classes like PackageManager or ContextImpl that are generally used during reflection that helps in signature verification of the Android application.

Then it uses this above method to replace the application with new application that does not have any signature verification mechanism and will always be verified by the Android signature verifier no matter how much the apk is tampered.
It hooks the code that fetches the signature file for verification and instead modifies the method to return true or verified always.

Why is it so crucial ?

Think of your Android device as a car and its signature verification system as a sophisticated car alarm. As long as the alarm is active, a thief cannot steal the stereo without setting it off.

However, a tool like ApkSignatureKiller acts as a master key that doesn't just break the window but cleverly disables the entire alarm system. Once the alarm is off, the thief can freely open the doors, steal the stereo, or even swap out the engine parts without anyone knowing.

This is precisely why signature verification is so crucial for an Android app. Without it, anyone could tamper with an app's contents, recompile it, and distribute their own modified version . Imagine the consequences: someone could unlock Spotify Premium for free, use cheats in a game like Clash of Clans, or, far more dangerously, bypass security measures in banking applications to authorize fraudulent transactions.

ApkSignatureKiller threatens the very foundation of Android's application security model. Despite continuous efforts to harden the platform, this tool often succeeds in its malicious goals.

But luckily, as developers, we are not helpless. There are concrete steps we can take to safeguard our applications against such attacks:

How to prevent tampering attacks with Talsec RASP+? [2 Months Free Trial!]

Talsec's RASP+ (Runtime App Self-Protection) offers a multi-layered defense to shield mobile apps from tampering and malicious tools like ApkSignatureKiller. These tools are built to bypass Android's fundamental security measure: verifying an app's digital signature. By disabling this check, an attacker can modify a legitimate app, inject malicious code, and then repackage it.

RASP protects against that with:

Signature and Certificate Verification: Unlike system-level checks that can be intercepted or disabled, RASP operates within the application itself. It continuously validates the app’s signature and signing certificate hash, making tampering significantly more difficult.
Code and Resource Integrity Checks: RASP doesn’t stop at verifying signatures—it actively monitors the application’s code and resources. If the app has been decompiled, modified, or augmented with malicious code, RASP flags and responds to these unauthorized changes.
Real-time Threat Response: When RASP detects a threat, it triggers a callback function—giving developers full control over how their app responds. Once integrated, you can implement callbacks such as onRootDetected, onDebuggerDetected, onEmulatorDetected, and more. These powerful tools let you tailor defensive actions: show custom alerts, limit app functionality, or shut down the app entirely if the environment is compromised.

The onTamperDetected callback plays a crucial role in identifying and responding to signature verification issues within the application. This powerful layer of security is easy to integrate—any developer can add it in just minutes. With Runtime Application Self-Protection (RASP), strengthening your app's defenses has never been simpler.

Try it for free for 2 months and experience how effortlessly you can boost your app’s protection; check out https://talsec.app to request the trial.

written by Akshit Singh

AI Device Risk Summary Demo | Threat Protection | Risk Scoring | Malware Detection | Android & iOS

An exclusive preview of the technology that will define tomorrow's mobile security.

Revolutionizing Mobile Security: AI-Powered Device Risk Summary

For banking applications, fintech platforms, and any app where sensitive operations occur, preventing mobile fraud is critical. The challenge is to implement robust security without creating friction for the user. Imagine preventing fraudulent transfers or account takeovers with a seamless, user-empowering flow. This powerful, dynamic approach is the future of mobile security, moving beyond static defense to an interactive shield that helps, not just hinders.

What if you could not only detect a critical threat on a user's device but also guide them to fix it and complete their action securely, all within moments? At Talsec, we're thrilled to unveil a groundbreaking new capability that does just that. Let's walk you through a real-world scenario to demonstrate the power of our advanced security, culminating in our new AI Device Risk Summary.

The Scenario

Imagine a user is excited to buy a new pair of shoes from your e-commerce mobile application. They have found the perfect pair, added them to the cart, and are ready to check out. However, there's a hidden problem: their device is infected with malware.

Step 1: The Initial Purchase Attempt

The user proceeds to the payment page, ready to enter their card details. Instantly, Talsec's in-app security kicks in as an automatic background security step-up.

Step 2: Intelligent Security Check and Risk Assessment

Here's where the magic begins. While the input fields for the user's sensitive card information are temporarily disabled, Talsec performs a comprehensive device security scan in the background. The result? A high-risk score is returned, confirming that critical threats are present on the device, making it unsafe to proceed with an EMV payment transaction.

Step 3: AI-Powered Risk Summary and Crystal-Clear Guidance

This is the game-changer. Rather than leaving the user confused and likely to abandon their cart, your app now presents them with Talsec's AI Device Risk Summary. This user-friendly interface clearly explains the problem.

Threat Report: A concise report informs the user that a specific threat has been found. In this case, it’s dangerous "SMS Forwarder" malware – a type of spyware that can intercept one-time passwords and other sensitive information sent via text message.
Remediation Steps: The summary provides simple, actionable guidance, instructing the user on how to locate and uninstall the malicious application from their device.

Step 4: From Threat to Trust

The user follows the straightforward instructions and successfully removes the SMS Forwarder malware. They are now confident that their device is clean and their information is safe.

Step 5: A Secure Second Attempt and a Successful Transaction

The user returns to your app and attempts the purchase again. This time, the Talsec security check runs and delivers a vastly improved, low-risk score. The system recognizes that the threat has been neutralized.

The sensitive card detail fields are now enabled. The user confidently enters their payment information, completes the EMV transaction, and their purchase is successful.

From Friction to Empowerment

This entire process turns a potentially disastrous security incident into a positive user experience. You have not just prevented fraud; you have empowered your user to secure their own device, building trust and loyalty in your brand.

Would you like to protect your app with our new AI Device Risk Summary and transform your users' security experience?

Contact us to get more information about this awesome new feature! Visit and request a demo.

Podcast: iOS Keychain vs Android Keystore

Unlock the secrets of mobile security! In this insightful podcast, Devyany Vij (Senior Product Security Engineer @ Tide), Oleksandr Leushchenko @olexale (Google GDE, Engineer Manager @ Tide), and Tomáš Soukal (Senior Mobile Security Dev, Product Owner at Talsec) dive deep into the differences and unique capabilities of the Android Keystore and iOS Keychain—two essential tools every app developer should understand.

Discover how each platform protects sensitive data like encryption keys and passwords, what makes them secure, and how their access controls and hardware integrations work behind the scenes. Whether you’re building for Android, iOS, or both, you’ll get practical tips and clear explanations to help you choose the right approach for your next project. Perfect for developers who want to level up their app security knowledge—don’t miss it!

Big thanks to Majid Hajian @mhadaily (Azure & AI advocate @ Microsoft, Dart & Flutter community leader) for help with the production of this podcast

Obfuscation of Mobile Apps

This article will delve into the concept of obfuscation, explore its different types, and articulate Talsec's philosophy on its application. We believe in a balanced and pragmatic approach, prioritizing the most developer experience, app performance, exploitability of attack techniques while minimizing potential drawbacks and considering cost efficiency, to ensure both security and the smooth business operation of your mobile applications.

Refer to the Glossary for the full article: https://docs.talsec.app/glossary/obfuscation

Understanding the Fundamentals of Obfuscation

The primary goal of mobile app obfuscation is to render the application's code more difficult for an attacker to understand after it has been decompiled. Think of it as scrambling the blueprint of your application, making it significantly harder for someone to decipher its structure, logic, and sensitive information. While obfuscation doesn't make your application completely impenetrable – a determined attacker with enough time and resources might eventually succeed – it drastically increases the effort and expertise required, often making the attack economically unviable.

It's crucial to understand that obfuscation primarily focuses on hindering static analysis – the examination, understanding or tampering of the application's code at build time. Runtime attacks, where malicious actors attempt to manipulate the application while it's running, require a different set of defenses, which is where RASP technologies like those offered by Talsec come into play.

Obfuscation and RASP are complementary security layers, working in tandem to provide comprehensive protection.

Deconstructing Obfuscation: Three Key Types

The concept of obfuscation can be broadly categorized into three distinct types, each targeting different aspects of the application's code:

A) Name Obfuscation for Classes, Methods, and Fields

This type of obfuscation focuses on renaming the classes, interfaces, methods, and fields within the application's code to meaningless and often short identifiers. Instead of descriptive names like UserManager, authenticateUser, or userPassword, these elements might be renamed to something like a, b, or c.

Key Concepts

Renaming: The core mechanism involves replacing meaningful names with arbitrary strings.
Reduced Readability: This significantly hinders an attacker's ability to understand the purpose and functionality of different code components simply by examining their names. It breaks the semantic link between the code and its intended behavior.
Limited Complexity: Name obfuscation is generally the least complex type of obfuscation to implement and has minimal impact on the application's performance or stability.
Generic Applicability: This technique is indispensable and straightforward, as it is a complimentary compiler feature that yields a significant security advantage.

Example

Consider a class responsible for handling user sessions:

Copy

public class UserSessionManager {
    private String loggedInUsername;
    private boolean isLoggedIn;

    public boolean authenticateUser(String username, String password) {
        // Authentication logic
    }

    public String getLoggedInUsername() {
        return loggedInUsername;
    }
}

After class name obfuscation, this might become:

Copy

public class a {
    private String b;
    private boolean c;

    public boolean d(String e, String f) {
        // Authentication logic
    }

    public String g() {
        return b;
    }
}

While the underlying logic remains the same, the renamed elements provide no clues to an attacker about the class's purpose or the functionality of its methods and fields.

Talsec offers a feature to ensure that this basic obfuscation technique is applied and trigger the security threat control if this was skipped at build time.

B) String Obfuscation

String obfuscation focuses on concealing string literals embedded within the application's code. These strings can often reveal sensitive information, such as API keys, Certificates, URLs, error messages, or even business logic. By obfuscating these strings, you prevent attackers from easily extracting valuable insights or identifying critical parts of your application.

Key Concepts

Encoding and Encryption: String obfuscation typically involves encoding or encrypting the string literals within the application.
Runtime Decoding/Decryption: The original strings are reconstructed at runtime, only when they are actually needed by the application.
Increased Analysis Difficulty: Attackers cannot simply search for specific keywords within the decompiled code to uncover sensitive information. They need to understand the obfuscation algorithm and potentially reverse-engineer the decoding/decryption process.

Example

Consider the following code snippet containing an API key:

Copy

String apiKey = "YOUR_SUPER_SECRET_API_KEY";
String apiUrl = "https://api.example.com/data";
After string obfuscation, this might look like:
Java
String apiKey = new String(Base64.getDecoder().decode("WU9VX1NVUEVSX1NFQ1JFVF9BUElfS0VZ"));
String apiUrl = new String(Base64.getDecoder().decode("aHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YQ=="));

An attacker examining the decompiled code would see seemingly random strings, requiring them to identify and reverse the Base64 decoding to uncover the actual API key and URL. More sophisticated techniques involving encryption would further complicate this process. Talsec provides a Secure Vault feature to address this need with high level data protection.

C) Control-Flow Obfuscation

Control-flow obfuscation aims to make the application's control flow – the order in which instructions are executed – more complex and difficult to follow. This is achieved by introducing artificial complexity, such as:

Key Concepts

Opaque Predicates: Inserting conditional statements whose outcome is always known at runtime but is difficult for an attacker to determine statically. This creates "dead code" paths that complicate analysis.
Bogus Code Insertion: Injecting code that has no functional impact on the application's behavior but serves to confuse and mislead attackers.
Branching and Jumps: Replacing straightforward sequential execution with a web of conditional and unconditional jumps, making it harder to trace the logical flow.
Exception Handling Abuse: Using exception handling mechanisms in non-standard ways to alter the control flow.
State Machine Transformation: Converting linear code sections into complex state machines, obscuring the original logic.

Control-flow obfuscation might transform this into a more convoluted structure involving opaque predicates and unnecessary jumps, making it harder to understand the simple conditional logic.

Warning: Code Packing and Encryption are Unsuitable for Modern Apps

Code packing and app binary encryption were once popular for protecting app binaries from reverse engineering, typically compressing executables with a runtime unpacking routine.

Today, these techniques are no longer commonly used and may be restricted by app stores. Apple requires disclosures for encryption use, while Google Play flags suspicious packing via Play Protect.

Their decline is largely due to widespread misuse by malware and incompatibility with modern app distribution policies.

Talsec's Perspective: A Pragmatic Approach to Obfuscation

At Talsec, we firmly believe that a layered security approach is the most effective way to protect mobile applications. Obfuscation is a crucial component of this strategy, acting as a vital deterrent against static analysis. However, we also recognize the trade-offs associated with different obfuscation techniques.

Our Stance on Obfuscation Types

Class Name Obfuscation and String Obfuscation: Must-Haves for Sensitive Apps: We consider both class name and string obfuscation as essential baseline security measures for any application handling sensitive data or implementing critical business logic. The relatively low overhead and significant increase in analysis difficulty make them highly valuable in hindering casual attackers and raising the cost for more sophisticated ones. Implementing these techniques should be a standard practice in your mobile app development lifecycle.
Control-Flow Obfuscation: Reserved for Algorithm Protection: While control-flow obfuscation can offer a higher degree of protection against reverse engineering of specific algorithms, we believe its application should be carefully considered and generally reserved for scenarios where the application's core algorithm itself is a significant intellectual property asset.

The Challenges of Control-Flow Obfuscation

We acknowledge that control-flow obfuscation can introduce several complexities and potential issues:

Increased Integration Complexity: Integrating and configuring control-flow obfuscation tools can be more challenging compared to class and string obfuscation.
Potential for Non-Deterministic Bugs: The transformations applied by control-flow obfuscation can sometimes introduce subtle and hard-to-debug issues that may not manifest consistently.
Performance Impact: The added complexity in the control flow can potentially lead to performance overhead, impacting the application's responsiveness and battery consumption.
App Store Review Issues: Aggressive control-flow obfuscation techniques can sometimes be flagged by app store review processes due to the significant code modifications they introduce.

Our Recommendation for Algorithm Protection

If your application's core algorithm is a critical asset that requires a higher level of protection than class and string obfuscation can provide, we recommend a more targeted approach:

Isolate Sensitive Code: Move the algorithm's implementation to code written in a lower-level language like C or C++.
Separate Obfuscation: Apply robust obfuscation techniques specifically designed for C/C++ code to this isolated module.
Minimize Impact: By isolating the sensitive code, you limit the potential negative impacts of complex obfuscation on the main application codebase, reducing integration challenges, performance concerns, and the risk of introducing widespread bugs.

Talsec's Commitment to Comprehensive Security

While Talsec doesn't directly provide control-flow obfuscation for the main application code due to the aforementioned complexities, we are committed to offering our partners a holistic security solution.

We can recommend and facilitate integration with reliable third-party tools that specialize in obfuscation enabling you to effectively protect your most critical algorithms without compromising the stability and maintainability of your primary application code.

Conclusion

Obfuscation is an indispensable tool in the mobile app security arsenal. By making your application's code significantly harder to understand, you deter attackers and protect your intellectual property and sensitive data.

Talsec advocates for a pragmatic approach, emphasizing the crucial role of class name and string obfuscation as fundamental security layers for all sensitive applications. While acknowledging the potential benefits of control-flow obfuscation for specific algorithm protection, we recommend a targeted strategy involving isolating sensitive code in C/C++ and applying specialized obfuscation tools to minimize risks and ensure a robust and stable application.

At Talsec, we are dedicated to providing you with the tools and knowledge necessary to build secure and resilient mobile applications. By understanding the nuances of obfuscation and adopting a layered security products RASP, App Hardening, Malware Detection, AppiCrypt and carefully chosen obfuscation techniques, you can significantly enhance your application's defenses against the ever-evolving threat landscape.

Simple Root Detection: Implementation and verification

Introduction

In the area of mobile application security, the development of new techniques is a constant game of cat and mouse. Developers work tirelessly to implement new methods of identifying and mitigating the risks associated with rooted devices, while attackers continually develop more sophisticated tools to bypass these safeguards. In this article, we will explore what rooting is, outline basic root detection techniques, and show you how to effectively test your implementation.

Check out and for industry leading root detection

Rooting: What It Is And How It Affects Mobile Security

Rooting is the process of gaining privileged control over an Android device, allowing users to bypass system restrictions and obtain full administrative privileges. This process enables the installation of specialized apps, modification of system settings, or running commands that are otherwise restricted in the default user environment.

On the one hand, these capabilities enhance control over the device, providing users with greater flexibility and customization options. On the other hand, rooting introduces significant security risks, as it can expose the system to unauthorized access, malicious activity, or potential vulnerabilities.

In the context of root detection testing, rooting presents a serious challenge as it disables or bypasses many of the operating system’s built-in mechanisms. Therefore, detecting signs of rooting is crucial for maintaining device integrity and preventing vulnerabilities that could be exploited by attackers.

Learn more:

Shut the Mouse Hole: Stop Attackers with Root Detection

As outlined in the previous section, Android devices with root access are significantly more exposed to mobile malware, privilege escalation exploits, and persistent system compromise due to the lack of enforced security boundaries. These rooted environments often become attractive entry points for attackers, allowing them to gain unauthorized access not only to sensitive user data but also for other components of the mobile ecosystem.

Given these significant risks, it is essential to implement reliable root access detection that can effectively identify compromised devices before serious security breaches occur. Root detection is the first line of defense against these threats and should be an integral part of the security architecture of any application.

However, root detection is not a simple task. As rooting techniques evolve, so do the methods for bypassing detection. Root bypass techniques have become increasingly sophisticated, making it necessary to implement multi-layered root detection mechanisms. Relying on a single method of detection is not sufficient, as attackers often find ways to circumvent basic checks.

Learn more:

Common Root Detection Techniques

There are several common techniques used to identify rooted devices, each targeting a specific characteristic or modification that typically occurs when a device is compromised. By combining these techniques, it is possible to create a more robust method for detecting rooted devices, helping to reduce the security risks posed by compromised devices.

File-based detection

Rooting often leaves behind characteristic traces in the file system, and by probing for these artifacts, it’s possible to identify compromised devices. These artifacts may include binaries, configuration files, or directories commonly associated with rooting tools.

One of the most recognizable indicators is the presence of the su binary, which is typically used to grant superuser privileges to applications. This binary may be located in several paths depending on the rooting method or tool used, such as:

/system/bin/su
/system/xbin/su
/sbin/su
/data/local/su
/data/local/xbin/su

Some devices may also contain utility binaries like busybox, which provides a suite of Unix tools often included in rooted environments:

/system/xbin/busybox
/system/bin/busybox

Root management apps, such as SuperSU or Magisk, may install APKs and daemon scripts to maintain root access. These files can also be detected at known locations:

/system/app/Superuser.apk
/system/etc/init.d/99SuperSUDaemon
/system/xbin/daemonsu
/dev/com.koushikdutta.superuser.daemon/

Implementing a scan for these files can serve as a basic yet effective first layer of root detection.

Process-based detection

Some root detection techniques focus on monitoring and interacting with processes that are commonly associated with root access. Root management tools typically rely on binaries like su to elevate privileges, or sh to execute scripts with root permissions. By attempting to invoke these processes at runtime, it’s possible to detect their presence and functionality, even if their files are hidden or obfuscated.

Package-based detection

Rooted devices often rely on specialized apps to manage superuser access and maintain elevated privileges. These root management tools, such as Magisk, SuperSU, or older solutions like Superuser.

Android provides APIs to query all installed packages using the PackageManager. By comparing package names against a known list of popular root-related apps, it’s possible to detect the presence of these tools on the device.

Some commonly used package names include:

eu.chainfire.supersu
com.noshufou.android.su
com.koushikdutta.superuser
com.zachspong.temprootremovejb
com.ramdroid.appquarantine
com.topjohnwu.magisk

System property-based detection

Custom or tampered Android builds often leave identifiable traces in system properties. These builds may originate from user-modified ROMs or developer-compiled firmware images and frequently bypass standard security mechanisms. Detecting such modifications can help determine if a device is running a non-standard and potentially insecure, operating system.

One common technique involves inspecting the Build.TAGS property. Another indicator is the absence of Google’s Over-The-Air (OTA) update certificates.

Static Analysis for Root Traces

One approach to determine whether an application includes root detection mechanisms is to perform a static analysis. This technique enables the examination of the application’s code without requiring execution. It also helps identify embedded root detection logic, such as techniques outlined in the section Common Root Detection Techniques.

This method is particularly useful during security assessments, where it’s important to understand how thoroughly an application protects itself against rooted environments. The following steps outline how to perform static analysis to detect common root detection implementations:

Check for root detection indicators

Apps may check for the presence of files commonly associated with rooted devices (e.g., /system/xbin/su, /data/data/com.superuser.android.id) or for root management apps (e.g., SuperSU, Magisk).
Run a static analysis tool such as MobSF or Apktool on the app binary to look for common root detection checks.

Non-standard system behavior detection

Check if the app monitors processes that shouldn't normally be running, such as su or sh, which are typically associated with root management tools.
Reviewing the app's smali or assembler code can reveal whether the app checks for or interacts with such processes.

System properties modification detection

Apps may monitor system properties (e.g., ro.debuggable, ro.secure) for changes, adding another layer to the root detection process.

Critical system directories modification detection

Check if the app attempts to modify files or settings in critical system directories, such as /data or /system, which should remain immutable on unrooted devices.

As a result of this analysis, one should be able to observe whether the application contains any of these typical root detection patterns. If such mechanisms are present and clearly target known indicators of root access, it can be concluded that the app implements root detection properly.

It’s important to note that static analysis has limitations and may not reveal all root detection logic, especially if it is obfuscated or implemented using unconventional techniques.

Dynamic Detection of Root Access

Another approach to determine whether an application includes root detection mechanisms is to perform dynamic analysis. This technique involves observing the application’s behaviour at runtime while it operates on a potentially rooted device. It allows testers to understand how the application interacts with the system and whether it performs any real-time checks for root-related indicators.

This method is particularly useful during runtime security assessments, where the goal is to verify if the application can detect and respond to signs of root access under realistic conditions. The following steps outline how to perform dynamic analysis to detect runtime root detection behaviour:

Monitor Application Behaviour

Use tools like strace or similar utilities to trace how the app checks for root access. Look for interactions with the system, such as attempts to open su, check running processes, or read root-specific files. This analysis helps uncover how the app performs root detection and may reveal potential weaknesses.

Bypassing Root Detection Mechanisms

Run a dynamic analysis tool such as Objection to attempt automated root detection bypass. Use commands to manipulate root checks and observe whether the app still correctly detects root access or if its security mechanisms can be bypassed.

As a result of this analysis, one should be able to determine whether the application performs root detection at runtime and how resilient it is to bypass techniques. If the application actively checks for root indicators and responds appropriately, even under attempts to tamper with its logic, it can be considered to have a well-implemented runtime root detection mechanism. However, if no signs of root detection are observed, or if the application’s checks are easily bypassed, it suggests that the implementation may be incomplete or ineffective.

A Hands-On Demo

This section demonstrates how root detection logic present in an Android application can be verified via static analysis using Semgrep. The test is performed on a class containing basic root detection techniques.

In real-world scenarios, security engineers often work with Android applications where the original source code is not available. However, static analysis can still be performed by reconstructing the code using reverse engineering tools like jadx or apktool. These tools allow analysts to obtain Java or Smali code from an APK file.

For the purposes of this hands-on example, we’ll assume the source code is already available (or has been successfully reconstructed) and focus on the static analysis part.

Let’s take a look at a simple class that contains basic root detection logic:

Before we begin, make sure you have Semgrep installed. You can install it using:

pip install semgrep

or , if you’re using macOS:

brew install semgrep

If you’re working with code reconstructed from APK (e.g., RootDetection_reversed.java obtained via jadx), you can run Semgrep on the reversed Java file instead of the original Kotlin source.

Here’s an example of a Semgrep rule that identifies common patterns used in root checks:

You can run Semgrep with this rule:

semgrep -c root-detection.yml RootDetection_reversed.java

When executed, Semgrep will provide results similar to this:

Conclusion

To conclude, implementing effective root detection techniques is crucial for maintaining mobile security and protecting users from potential threats posed by compromised devices. As rooting methods evolve, developers must employ multi-layered detection strategies to stay ahead of attackers who seek to bypass security measures. Combining file-based, process-based, package-based, system property-based, and dynamic detection techniques can create a robust defense against rooting-related risks.

For industry-leading root detection, explore and , which provide advanced security features to safeguard mobile applications from threats.

For additional terminology and security insights about rooting, jailbreaking and hooking, visit the .

Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back

Let's dive into Akshit Singh's insights on how Frida works, the risks it poses to mobile apps, and why effective Frida detection is crucial. This article highlights Talsec’s freeRASP as the #1 RASP solution by popularity, showcasing its advanced Frida-server detection and other security features that provide a robust defense against app tampering, ensuring real-time protection and resilience.

Introduction

In today's mobile security landscape, protecting applications is a constant cat-and-mouse game between defenders and attackers. Dynamic instrumentation tools like Frida have become a favourite weapon for adversaries, allowing them to hook into application processes, bypass security mechanisms, extract sensitive data, and manipulate runtime behavior . In response, developers implement Frida detection techniques like checking for suspicious libraries, unusual system calls, process injections, etc. However both sides continuously adapt to the methods of the other side and just start thinking about how to outsmart the other. This makes engineers dig deep to depths of working of these tools and overtake the other side.

Well, today we are going to dig deep inside such a tool that can tamper with any app's working and manipulate its code, giving the attackers an unfair advantage.

What is Frida?

Frida is a powerful dynamic instrumentation toolkit designed for cross-platform applications, supporting Android, iOS, Windows, Linux, and macOS. It allows developers, security researchers, and reverse engineers to analyze, modify, and manipulate applications at runtime. By injecting scripts into a running process, Frida enables real-time introspection of an application's internal functions, memory structures, and API calls. This makes it a valuable tool for debugging, security testing, and reverse engineering. With Frida, one can hook into functions, alter their behavior, or even bypass security mechanisms —all without modifying the application's original binary.

Here is a small script to demonstrate how frida works and hooks the application:

Java.perform(function() {
var TargetClass = Java.use('com.example.app.TargetClass');

    TargetClass.targetMethod.implementation = function(arg1, arg2) {
        console.log("[*] targetMethod called with args: " + arg1 + ", " + arg2);
        var result = this.targetMethod(arg1, arg2);
        console.log("[*] targetMethod returned: " + result);
        return result;
    };
});

This script hooks the targetMethod of the class TargetClass and prints out its arguments and the result whenever it is called inside the application with package name - com.example.app .

Frida is a tool that hooks the function of an application by injecting its own code inside the app. There are essentially two ways to tamper an app using frida-gadget patches or by using frida-server on the app's target device.

Using Frida

There are two ways to use Frida on an application on a device:

Patching an application to use Frida:
- Decompile the application using apktool .
- The target application has to be patched by moving the right version of frida-gadget inside the application as libfrida-gadget.so .
- The decompiled app has to be aligned and signed again correctly using zipalign and jarsigner .
- Now whenever the application runs it will be able to connect to the frida client running on a remote system.
Using frida-server
- It is important to remember that this method might appear easier and simpler than the patching method but it only works in rooted devices.
- Move the right version of frida-server into the device and execute the binary.
- Connect to the frida-server through your local system using the frida command.

And voila you are ready to change the app without changing it :D

There are plenty of other tools that can be used for dynamic instrumentation of apps just like frida and they are too able to inject scripts into them during runtime. But what makes Frida unique is its integration with popular programming languages like Python and JavaScript, enabling powerful and flexible instrumentation:

Here are some examples of using frida in python:

This is the script that helps us to hook a function target_function() inside the native library libnative-lib.so embedded inside the application com.target.app :

import frida

# Payload
jscode = """
Interceptor.attach(Module.findExportByName("libnative-lib.so", "target_function"), {
    onEnter: function(args) {
        console.log("[*] Hooked target_function!");
        console.log("Arg[0]: " + args[0].toInt32());
        console.log("Arg[1]: " + args[1].readUtf8String());
        
        args[0] = ptr(1337);  // Change integer argument
        args[1].writeUtf8String("Hacked!");  // Change string argument
    },
    onLeave: function(retval) {
        console.log("Original return value: " + retval.toInt32());
        retval.replace(42); //Changing the return value
    }
});
"""
device = frida.get_usb_device()
session = device.attach("com.target.app") 
script = session.create_script(jscode)
script.load()

This is similar to hooking a java method inside the application during runtime but instead of attaching through the classes we use interceptors to be able to load the native non-static methods first and then hook them.
The similar code can be written in js:

const frida = require('frida');

async function main() {
    const device = await frida.getUsbDevice();
    const session = await device.attach("com.target.app");
    const scriptCode = `
        Interceptor.attach(Module.findExportByName("libnative-lib.so", "target_function"), {
            onEnter: function(args) {
                console.log("[*] Hooked function called!");
                console.log("Arg[0]: " + args[0].toInt32());
            }
        });
    `;

    const script = await session.createScript(scriptCode);
    script.message.connect(message => console.log(message));
    await script.load();

    console.log("[+] Hook installed!");
}
main();

These dependencies of frida in languages like Python and JS make frida more powerful and efficient and even more compatible to be integrated with other advanced tools.

The power of Frida

Frida can be used to tamper with various functions inside the app in runtime also allowing us to bypass many checks and protections like Root checks, SSL pinning and Emulator checks.

Bypassing Root checks

Below is an example of one of the script that can be used to bypass root check in a library named JailMonkey that intends to detect rooted devices:

Java.perform(() => {
    try {
        const klass = Java.use("com.gantix.JailMonkey.JailMonkeyModule");
        const hashmap_klass = Java.use("java.util.HashMap");
        const false_obj = Java.use("java.lang.Boolean").FALSE.value;

        klass.getConstants.implementation = function () {
            var h = hashmap_klass.$new();
            h.put("isJailBroken", false_obj);
            h.put("hookDetected", false_obj);
            h.put("canMockLocation", false_obj);
            h.put("isOnExternalStorage", false_obj);
            h.put("AdbEnabled", false_obj);
            return h;
        };
    } catch (error) {
        console.error("An error occurred:", error);
    }
});

The above script hooks into the main class of the module and changes the implementation of the getConstants function to acquire the values of all the final detection variables as false. So it actually does not matter whether it detects root or not. It will show it as false as its final variables values are changed.

Bypassing emulator checks

https://codeshare.frida.re/@fdciabdul/frida-multiple-bypass

The above script has a function that is able to bypass emulator checks in various security modules by setting up fake device names, brand names, product names and other fake values inside the device properties to throw the detector off.

Bypassing SSL pinning:

https://codeshare.frida.re/@sowdust/universal-android-ssl-pinning-bypass-2

The above script is the smaller and more specific version of the SSL pinning bypass script that is effective in the Android Conscrypt security provider module. It hooks the TrustManagerImpl class and returns a null array instead of the array that the method should have returned to do SSL pinning encryption.

Developments in Frida

Frida was developed by Ole André V. Ravnås . Being the most used and famous tool in the field of mobile reverse engineering and security research, Frida has undergone many feature additions as well as upgrades that has improved the tool furthermore.

frida-rust : https://github.com/frida/frida-rust
- This is a prominent improvement by the frida community that has solved the problem of VM spawning overhead.
- Whenever we try to load a script into the target application or try to inject some code using Frida then it has to first spawn a js v8 engine and then execute the script inside it. This creates a large overhead that makes script execution very slower and the execution of large scripts very longer and memory extensive.
- frida-rust on the other hand does'nt have the problem of spawning any VM engine as it maintains a persistent session with the application and can communicate with the C APIs directly, increasing its speed many times compared to before.
Updates in frida-server
- There are many scripts that are out there claiming to be able to detect frida-server running on the device by communicating with it using its protocol.
- Maybe this is the reason that frida-server implementation was updated. It can now run on any port instead of a default port and its method of communication was changed making frida-server undetectable again. But is it really undetectable??

Frida CodeShare

https://codeshare.frida.re

Frida CodeShare is a community-driven platform where security researchers and developers share ready-to-use Frida scripts for various purposes, including reverse engineering, penetration testing, and debugging. The platform hosts a vast collection of scripts that help automate tasks such as bypassing root detection, decrypting network traffic, intercepting function calls, and modifying app behavior at runtime.

Scripts like Universal Android SSL pinning bypass, aesinfo and ObjC method observer (objective-C method hooking) are available on this site.

The Universal Android SSL pinning bypass

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida

This script automates the process of pushing the Burpsuite certificate as a custom certificate on the device to be able to proxy the requests made by the target application.

It does this by making a custom Keystore and TrustManager so that the app does not verify the SSL certificate it is using.

aesinfo

https://codeshare.frida.re/@dzonerzy/aesinfo

This script is able to detect the AES encryption in any application by hooking into the cryptographic classes of Java like: Cipher,SecretKeySpec,IvParameterSpec to gather the info regarding the Key, IV and the Ciphertext fed into the methods of these classes and then changes the implementation of the doFinal method that is responsible for the encryption/decryption of the ciphertext.

Tools based on Frida

Runtime Mobile Security tool

https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security

It automatically detects the connected devices and the packages inside them helping the user to just interact with drop down menus and use default scripts to tamper with the apps.

This is a web interface tool that is user-friendly and has a number of frida scripts that can be used by just a click.

It makes filtering and scripting much easier as compared to using frida command line tool.

Medusa

https://github.com/medusajs/medusa

Medusa is an advanced Frida-based wrapper tool designed for dynamic instrumentation of mobile applications.

It has stored database of useful frida scripts that can be executed just by executing a command.
- It not only parses or enumerates the important files of an Android package but it also identify common attack vectors inside it.
- Its Python-based design makes it more user-friendly and easy to work with.

Objection

https://github.com/sensepost/objection

This is also a wrapper of frida tool that makes it easier to execute scripts like bypassing SSL pinning or anti-root checks and even makes it easier to patch the applications by embedding libfrida-gadget.so inside the app.
- It is a command-line tool that works without root access or jailbreaking the target app's device, helping us to perform penetration testing and malware analysis.

These are some general commands of using objection:
- objection patchapk --source target.apk is to patch the target application to use frida in it.
- android bypass root bypasses antiroot checks on the app.
- android sslpinning disable bypasses ssl pinning on the device.
- android sharedpreferences get dumps all the stored credentials in the target app.

freeRASP Protection

https://www.talsec.app/freerasp-in-app-protection-security-talsec

freeRASP is #1 RASP by popularity - free Runtime Application Self-Protection solution for all Android and iOS apps. Whether it is rooting, hooking, emulating, tampering or any other malicious practice inside the device that may harm the application, nothing can beat the RASP technology used by freeRASP.

Just try to integrate freeRASP into one of your application using https://docs.talsec.app/freerasp and use the methods like onRootDetected or onHookDetected to check your device in just a few moments.

Frida detection with freeRASP

Patching an application using Objection or frida-Gadget can be a complex process, as it requires resigning and correctly aligning the app.

On the other hand, running frida-server and interacting with the app through it is a much easier approach. This is why most users, including attackers, prefer using Frida-server on a rooted device to instrument applications.

Detecting frida-server is challenging because it allows communication on any port , and its recent updates have introduced new communication methods, making detection even more difficult.

However, frida-server isn't completely undetectable . Talsec's RASP (Runtime Application Self-Protection) technology is designed to spot it, no matter which port or communication method it uses. Also it doesn't just stop there—it also blocks attackers from using other tricks, like Objection patches, to manipulate the app.

This makes it a reliable defense against attackers using Frida, Objection, Medusa, and other hooking tools to compromise apps.

Conclusion

Frida is a powerful tool for dynamic instrumentation, allowing real-time analysis and modification of applications across multiple platforms. While invaluable for security researchers and developers, its capabilities can also be exploited by malicious actors to bypass restrictions, manipulate runtime behavior, and compromise app security. Without robust protection, applications remain vulnerable to these sophisticated attacks.

This is where Talsec's freeRASP becomes essential. With cutting-edge security features like Frida-server detection, Emulator detection, Root detection, and Developer Mode detection, freeRASP acts as a proactive defense layer, shielding applications from unauthorized tampering and advanced threats. By leveraging RASP (Runtime Application Self-Protection) technology, freeRASP ensures that your app remains secure, resilient, and protected in real time—making it a necessity, not an option.

Trusted by developers worldwide, freeRASP is the #1 RASP solution by popularity, setting the standard for in-app protection.

Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs

Crash tracking is a vital part of mobile app development, helping developers detect, diagnose, and resolve issues that affect user experience. Let's debunk common myths about crash tracking in SDKs.

Elevating SDK Stability with Advanced Crash Reporting

At Talsec, we are committed to delivering top-tier security SDKs, ensuring both reliability and seamless integration. To further enhance our quality assurance, we explored various crash-tracking solutions and successfully implemented a proof-of-concept (PoC) using PLCrashReporter – a lightweight and efficient crash-reporting framework.

Why Crash Tracking Matters

As our SDK portfolio grows – with offerings like , RASP+, and custom client adaptations – ensuring stability across different versions is a top priority. Introducing automated crash tracking empowers us to proactively address issues, minimize downtime, and enhance the overall developer experience.

Beyond stability, security and data privacy are core concerns for both us and our clients. Many third-party crash-tracking services collect and store crash data in ways that may not align with strict security policies. By opting for a custom implementation with PLCrashReporter, we ensure that crash data is handled entirely within our security guidelines, giving clients complete control over how and where their data is stored and transmitted.

Evaluating the Market: 3rd-Party Crash-Tracking Solutions

We assessed leading crash-tracking services based on framework size, ease of integration, and self-hosting capabilities. Here’s how they compare:

Sentry: Robust and open-source, but complex and premium-priced. (Framework size: ~20MB)
Bugsnag: Slightly lighter but lacks self-hosting. (Framework size: ~10MB)
Firebase Crashlytics: Closed-source and requires the full Firebase SDK, making it bulky. (Framework size: 100+MB; Oh wow, Google, seriously?)
Datadog: Primarily server-focused with intricate setup requirements. (Framework size: ~21MB)

While these services offer advanced features, they come with added complexity, costs, and potential privacy concerns. Many do not clearly document how crash reports are stored prior to submission, leaving uncertainty around data security between the moment of a crash and when the report reaches the server.

The Power of PLCrashReporter

To maintain efficiency and independence, we turned to PLCrashReporter – a lightweight, open-source crash-reporting framework for iOS/macOS. Key benefits include:

Compact footprint (4.2MB framework size)
Zero operational costs
Complete control over data collection and reporting
Open source nature enables secure on-device storage of crash data until transmission, reducing exposure risks

By integrating PLCrashReporter, we ensure that all crash data remains securely stored until it is explicitly sent to the designated endpoint. This provides an additional layer of security rarely addressed in third-party solutions, aligning with the highest standards of data privacy and compliance.

Seamless Integration & Compatibility Insights

We rigorously tested PLCrashReporter alongside common crash-reporting services to ensure compatibility:

Sentry (8.43.0): Fully compatible, with seamless integration.
Bugsnag (6.31.0): No issues, though some VPNs may block communication.
Firebase Crashlytics (11.7.0): Works but logs a non-critical warning.
Datadog (2.23.0): Conflict due to Datadog’s internal use of PLCrashReporter. A customized approach may resolve this.

Next Steps & Optimization

With our PoC validated, we are now focused on refining the integration by:

Ensuring flawless coexistence with third-party crash reporters
Optimizing data collection for more actionable privacy-focused crash insights
Enhancing security mechanisms for even stronger data protection

Join the Conversation

We’re eager to collaborate with the developer community! If you have expertise in PLCrashReporter implementation, multi-SDK crash management, or advanced analytics integration, we’d love to hear from you.

Let’s build a smarter, more resilient crash-reporting ecosystem – together! Stay tuned for more updates on our progress.

How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps

Tomáš Soukal provides an in-depth guide on how to block screenshots, screen recording, and remote access tools in Android, Flutter, React Native, and iOS apps.

"For Your Eyes Only" Principle

Ever felt embarrassed after accidentally leaking your account balance, private messages, or personal photos and videos? As app developers, we’re often tasked with preventing such privacy breaches. Fortunately, implementing the right countermeasures is simpler than you think—and I’ll show you how.

For Your Eyes Only isn’t just a catchy phrase—it’s rooted in espionage history and made famous by the 1981 James Bond film. Originally used to label highly classified documents intended solely for authorized eyes, it perfectly captures the essence of protecting user data in mobile apps. When it comes to your users’ sensitive information, it truly should be for their eyes only.

Let’s explore a few common mobile app scenarios where you might want to enhance privacy and security:

Hide Everything: Protect highly sensitive content like health reports, password screens, account balances, recent transactions, and browsing history.
View, But Don’t Share: In galleries, stories, and dating apps, guard against unauthorized sharing by blocking screenshots and screen recording.
Leakage Awareness: Notify users if someone takes a screenshot of their stories, reels, or other ephemeral content.
Combat Social Engineering & Phishing: Block remote access tools like TeamViewer or AnyDesk to prevent attackers from stealing data or tricking users in phishing scams.
Penetration Testing Defense: Skilled testers often use remote access tools to demonstrate data leakage vulnerabilities—make this an impossible win by securing against RAT exploits. Check MASWE-0055 OWASP Mobile Security Standard requirement.

RASP Solution

At Talsec, we set out to solve this problem elegantly by introducing three simple methods to tackle it effectively. You will find them both in the freeRASP and RASP+ on all supported platforms (Android, Flutter, React Native, Capacitor, Cordova, iOS).

blockScreenCapture
onScreenshotDetected
onScreenRecordingDetected

Blocking / Unblocking Screen Capture

Talsec provides comprehensive protection against all listed categories of screen capture apps, ensuring your app’s content remains secure. All previosly listed categories can be blocked, with the screen appearing black in screenshots, recordings, or casting.

To easily implement this protection, simply use the Talsec.blockScreenCapture(this, true) method within your application.

public class DemoApplication extends Application {

    @Override
    public void onCreate() {
        super.onCreate();

        // Talsec initialization code
        // ...

        // Register a callback to listen to activity lifecycle events
        registerActivityLifecycleCallbacks(new ActivityLifecycleCallbacks() {
            @Override
            public void onActivityCreated(@NonNull Activity activity, @Nullable Bundle bundle) {
                // Block (true) or unblock (false) screen capturing
                Talsec.blockScreenCapture(activity, true);
            }
            // ...
        });
    }
}

Result

The protected application will display as a blank (black) screen in screenshots, screen recordings, screen casting, or when accessed through remote access tools like TeamViewer.

Screenshot Detection Integration

Screenshot Detection can be integrated by implementing onStart() and onStop() in the Activity class. Talsec is notified about the screenshot through Talsec.onScreenshotDetected(). This is returned to the application via the onScreenshotDetected() callback and processed further in the SDK.

Our RASP provides convenient callback method:

override fun onScreenshotDetected() {
    // your custom logic here
}

To integrate it you will need to integrate it into your Activity:

Screenshot Detection requires target Android SDK at least 34 (Android 14, API Level 34, Upside Down Cake).

[AndroidManifest.xml]
<uses-permission android:name="android.permission.DETECT_SCREEN_CAPTURE" />

[MainActivity.kt]
class MainActivity : ComponentActivity() {
    private lateinit var screenCaptureCallback: ScreenCaptureCallback

    override fun onCreate(savedInstanceState: Bundle?) { … }

    override fun onStart() {
        super.onStart()
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
            screenCaptureCallback = ScreenCaptureCallback {
                Talsec.onScreenshotDetected()
            }
            registerScreenCaptureCallback(mainExecutor, screenCaptureCallback)
        }
    }

    override fun onStop() {
        super.onStop()
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE && screenCaptureCallback != null) {
            unregisterScreenCaptureCallback(screenCaptureCallback)
        }
    }
}

Screen Recording Detection Integration

Screen Recording can be integrated by implementing onStart() and onStop() in the Activity class. Talsec is notified about the screenshot through Talsec.onScreenRecordingDetected(). This is returned to the application via the onScreenRecordingDetected() callback and processed further in the SDK.

Our RASP provides convenient callback method:

override fun onScreenRecordingDetected() {
    // your custom logic here
}

To integrate it you will need to integrate it into your Activity:

Screen Recording Detection requires target Android SDK at least 35 (Android 15, API Level 35, Vanilla Ice Cream).

[AndroidManifest.xml]
<uses-permission android:name="android.permission.DETECT_SCREEN_RECORDING" />

[MainActivity.kt]
import android.view.WindowManager.SCREEN_RECORDING_STATE_VISIBLE
import java.util.function.Consumer

class MainActivity : ComponentActivity() {
    private val screenRecordCallback = Consumer<Int> { state ->
        if (state == SCREEN_RECORDING_STATE_VISIBLE) {
            Talsec.onScreenRecordingDetected();
        }
    }

    override fun onCreate(savedInstanceState: Bundle?) { … }

    override fun onStart() {
        super.onStart()
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
            val initialState =
                windowManager.addScreenRecordingCallback(mainExecutor, screenRecordCallback)
            screenRecordCallback.accept(initialState)
        }
    }

    override fun onStop() {
        super.onStop()
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
            windowManager.removeScreenRecordingCallback(screenRecordCallback)
        }
    }
}

Free and Business Approaches to Prevent Screen Capture Threats

To effectively block all screen capture threats, both free and business approaches can be used depending on your security needs. For those seeking a cost-effective solution, and offer foundational protection. These tools can block basic screen capture threats while incorporating malware detection technologies to uncover Remote Access Tools (RATs) by searching for package names and risky permissions. This provides a robust initial layer of security without the need for a premium plan.

For businesses looking to implement more complex, customizable security solution RASP+ provides advanced features that go beyond simple threat detection. With built-in reactions, MalwareDetection, Overlay Detection, and Accessibility Services Misuse Detection, businesses can create a comprehensive defense strategy. Additionally, incidents such as screenshots and screen recording attempts are recorded in logging data, enabling thorough tracking.

written by Tomáš Soukal

Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources

Introduction

In today’s mobile app ecosystem, ensuring your app is secure from piracy, tampering, and sideloading is more important than ever. With unofficial app stores and third-party platforms on the rise, developers face the risk of their apps being stolen, modified, or misused, often leading to revenue loss, security breaches, and reputation damage. One simple but effective measure to safeguard your app is enforcing install source restrictions, ensuring it only runs if downloaded from official stores like Google Play or the Apple App Store. This article explores how you can implement these checks and why it’s crucial for app security.

How Unauthorized Installs Lead to Vulnerabilities

Distributing an app through unofficial channels opens the door to numerous security threats, many of which could have devastating consequences for both the developer and users. Unauthorized installs can lead to significant breaches in security for several reasons:

Tampered versions of the app
Lack of official updates and security patches
Data leaks and privacy concerns
Exploits for ads or in-app purchases
Gateway for broader attacks

Commonly, fake applications are installed through the internet browser, file manager, cloud storage, or various messaging apps.

One common scenario is that the app being installed has been tampered in order to skip verifications of some kind or in order to add malicious code to it. As an example, an attacker can use apktool to decompile the apk:

This gives back a smali version of the app that can be changed later on. Think of smali code like an assembly-like language that is a low-level representation of the compiled Java code. That can be modified by maybe adding a key logger function of some sort.

Than is as simple as repacking the app with

and then resign the apk

This high-level example shows how dangerous it can be to install an app like this for both developer and user. Users who unknowingly download these tampered versions may be exposed to malware, spyware, or data-stealing mechanisms that compromise their personal information. This type of unauthorized access could include reading sensitive files, intercepting user data, or even hijacking user accounts. Developers can be harmed both in terms of their reputation and earnings. Modified app versions may disable ads, unlock premium features for free, or provide unauthorized access to paid content.

How to Check to Install Sources in Your Mobile App

One basic strategy is to check the install source every time the user launches the app and react accordingly.

Let’s see a quick and easy example using Flutter. Keep in mind that we will write some native code for Android and iOS, so you can use the same code if your app is native only or if you want to use it in any other framework.

So first of all, let’s create a new Flutter project with flutter create check_install_source. You can remove the main.dart file entirely and replace it with the following, starting with the necessary imports and the classi main declaration:

Then we can create a MyApp class

In the actual MyAppState we can implement a simple build method and the initState :

Now let’s add a new method called _checkInstallSource in the initState

So that we can implement it as following:

What’s happening here is that we are calling specific native function using flutter’s method channels () so that we can perform some action in the native side. Of course we are catching exceptions that may occur.

When we call getInstallerPackageName **Android method we will ask what the install source is. In this case we are checking against com.android.vending that’s the Google Play Store but you can also check plenty of other alternative stores like Samsung Galaxy Store com.sec.android.app.samsungapps.

On the other hand, when calling validateAppStoreReceipt iOS method we are checking that an App Store receipt is present. Even on free apps, Apple attach a receipt file to verify the authenticity of the executable. Of course just checking if the receipt is there or not could not be enough so you can perform additional verification or send receipt to your server for validation ().

Now, before checking kotlin and swift code, let’s see what we can do with those informations and let’s implement the _showErrorAndExit() method.

Keep in mind that’s just an example to alert the user. Exiting an app with exit(0) it’s not usually recommended because Apple may reject your app when submitting it to the AppStore.

Now open the MainActivity.kt file in Android folder and swap the content with necessary import first:

and than change the MainActivity class as following:

In this chunk of code we are implementing Flutter method channel in Android counterpart, getting ready to listen for the same method getInstallerPackageName that we implemented in Dart. Using packageManager we can get the installer package name and pass it back to Dart.

We can move to iOS folder opening AppDelegate.swift and adding imports:

We can proceed editing didFinishLaunchingWithOptions method to let Swift know what method need to be respond to:

Last step is to implement the isValidAppStoreReceipt() method in the AppDelegate class:

Your app should now be able to check the install source and force exit if it’s an unofficial source (in this example).

Additional Security Measures

Even if you have verified the install source of an app this is just the initial stage of ensuring that only genuine and authorized versions are installed, developers still need to undertake other steps to ensure that their apps are safe. Here are some effective strategies and tools that developers can leverage to enhance security.

Code Obfuscation

Flutter / Dart are typically more resilient against reverse engineering as the code is minified during the compilation (not really obfuscated). It's common to offload sensitive parts of code to domains that can be obfuscated more easily: Java/Kotlin, Swift, and especially C/C++ languages can be obfuscated by ready-made obfuscators.

Code obfuscation remains one of the easiest ways by which one can protect his or her application. Consumer objectives can be achieved using tools such as ProGuard for Android or LLVM Obfuscator for iOS because such tools distort code within the app, making it impossible for an attacker to understand what the app does. While renaming classes, methods, and variables, the work of an attacker significantly becomes more complex, depriving him even an attempt to begin to decompile and adjust the internal functioning of the application.

Another interesting project worth checking out is, that’s based on

dProtect an Android bytecode obfuscator based on Proguard O-MVLL is an obfuscator based on LLVM that uses the new LLVM pass manager, -fpass-plugin to perform native code obfuscation

Runtime Protection and Jailbreak/Root Detection

One must recognize when an app is running in an environment such as a jailbroken iPhone or iPad or a rooted Android device. These devices usually eliminate crucial security components, thus rendering them prone to hacking. There is always the possibility of root and jailbreak detection, so existing applications cannot run within these breeches.

Integrating Security Tools: freeRASP by Talsec

freeRASP (Runtime Application Self-Protection) () refers to an all-inclusive security solution whereby your mobile application can be monitored in real-time. It goes beyond basic checks like jailbreak or root detection by offering a full suite of security features, including:

Integrity Check: Identifies the state or level of modification of the app in order to determine if it has been modified in anyway. Debugging Detection: Recognizes whether in a specific app it is currently being debugged, or, for instance, during reverse engineering. Repackaging Protection: They also shield users against other attackers altering and repackaging their applications. Anti-Hooking: Intercepts and protects against such tool as Frida from injecting their code into the app during its execution. With the help of freeRASP, developers can prevent complex threats, including tampering, reverse engineering, and runtime manipulation. The application is free of charge and comes with powerful addressing security options compared to other powerful addressing security options that can easily be incorporated into existing mobile applications.

Conclusion

It is, therefore, important to consider multiple levels of security when developing applications for the current mobile environment. Verifying install sources is a good start, but by using tools such as freeRASP, runtime protections, and server-side checks, developers can offer a much safer environment for the applications. This shields the users from such applications and possible data leakage and your brand and business from the possible repercussions of a malicious app.

How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]

The updates in the OWASP Mobile Application Standard (MAS) for 2025 will incorporate a new MASWE called "RASP Techniques Not Implemented." Let us preview the contributed draft written by Talsec

Overview of "RASP techniques not implemented" weakness

RASP (Runtime Application Self-Protection) encompasses techniques such as root or jailbreak detection, unauthorised code or code execution, malware detection, system state, data logging and data flow. It provides a systematic, organised management approach to securing mobile applications in real time from potential threats.

These techniques:

Ensure that the application flow remains secure and untampered at all times.
Enable applications to detect and trigger responses to threats, such as:
- Warning the user.
- Killing the app.
- Locking access to certain features.

Without RASP implementation, applications remain vulnerable to attacks during runtime. RASP techniques assure that the app continuously monitors both its own state and the device environment to detect threats like malware, root, or integrity issues.

Additional benefits of implementing these techniques might include:

Independent decoupled protection updates.
Remote configuration of security rules.
Threat intelligence gathering.
Fast security incident remediation.
Providing data for security analysis.

Speed and timing of checks is also important and crucial for response times and ensuring no gaps in detection rounds, with control timing checking sensitive steps in the app. Incorporating RASP into an app ensures continuous protection from threats, ultimately minimising risk and improving overall security.

Modes of Introduction

Mobile app security and user security can be disrupted in various scenarios, including:

The application does not comprehensively process information and fails to account for system weaknesses or its own vulnerabilities, potentially leading to breached environment integrity.
Direct reactions to detected threads are not properly executed or integrated into the application’s business logic.
Security rules cannot be effectively defined based on discovered weaknesses, as this approach lacks the broader perspective needed to address all potential threats and ensure comprehensive protection.

Impact

Loss of Control and Monitoring: One of the key advantages of RASP is the ability to continuously control and monitor the mobile app’s state and the device environment in real-time. Without these features, the application may fail to detect or respond to unauthorised modifications, malware presence, or tampering attempts.
Missed Threat Intelligence: Without continuous monitoring, security checks, and data logging, we lose a critical overview of potential threats, making it harder to identify emerging attack patterns and respond to malicious activities effectively.
Loss of Manageability and Updateability of Detection Techniques: Without RASP, applications lose the ability to update security rulesets, reset policies/settings, and adjust risk scoring in older or already released apps.

Mitigation

To enhance the security of your mobile application, implement detection mechanisms that continuously monitor the app's state and device environment.
Implement response actions for detected threats to mitigate potential risks, such as:
- Killing the app,
- Warning the user,
- Logging information about potential risks to the database.
Use third-party solutions, which specialise in threat detection and real-time security monitoring (e.g. ).

How to test "RASP techniques not implemented"

RASP (Runtime Application Self-Protection) is designed to monitor and protect the application during runtime by detecting and responding to threats in real-time. The test verifies if the application can identify and react to malicious modifications, such as code tampering, root or jailbreak environment, and attempts to bypass security mechanisms. It also checks if the application has the ability to protect sensitive data and prevent unauthorised access to critical operations or features.

By conducting this test, we ensure that the app is capable of defending against runtime attacks and maintaining its integrity even in compromised environments. If RASP techniques are not implemented or are improperly configured, the app may be vulnerable to various security threats, including data breaches, unauthorised access, and malicious modifications.

Steps

Ensure that all security checks and protection mechanisms expected from RASP are present and enabled with the application. To test the RASP policy that the app enforces, a written copy of the policy must be provided. The policy should define available checks and their enforcement. For example:
- Root detection.
- Screen lock enforcement.
- Code integrity checks.
- Detection of dynamic analysis.
Based on the previous step, attempt to simulate threats to test if the application reacts as expected. This can involve various scenarios such as:
- Launching the mobile application on a rooted device.
- Launching the mobile application on a device without a screen lock enabled.
- Attempting to repackage the application and launching it.
- Launching the application in an emulator.
Verify that the application properly detects and responds to potential threats. There are various scenarios in which a mobile application can respond to these threats, such as:
- Killing the app.
- Warning the user about the detected threat.
- Logging information about potential risks to a database or SIEM.

Observation

The output depends on the specific reactions set up for the mobile application. The results should demonstrate the app’s behaviour when a threat is detected or triggered, for example:

Application is terminated.
Application displays a warning message.
Application sends information to a database or SIEM. Testers should ensure that the collected threat intelligence data are rich enough.

Evaluation

The test case fails if the mobile application does not react as expected to the detected threats.

written by Martin Žigrai, Tomáš Soukal

Fact about the origin of the Talsec name

Talsec = Talos + Security

Talos, a remarkable figure in Greek mythology, was a giant bronze automaton, crafted either by Hephaestus or Daedalus. His sole duty was to protect the island of Crete, tirelessly patrolling its shores. Circling the island three times a day, Talos would hurl stones at approaching ships to fend off intruders, symbolizing unwavering vigilance and defense.

In essence, Talos embodies constant protection — just like Talsec’s approach to security.

Happy Cybersecurity Month — stay vigilant, stay secure!

Flutter CTO Report 2024: Flutter App Security Trends

Flutter has gained significant traction within FinTech, underscoring the crucial need for robust security measures. The platform’s popularity attracts attention from both app developers and cybercriminals. Flutter’s strong security posture, evidenced by fewer reported vulnerabilities and CVEs, makes it a solid choice for developing sensitive apps.

Flutter Built-in Security

Flutter is more resilient to decompilation than native apps. Its binary packaging offers better protection of code and hardcoded data, although the number of Flutter-specific reverse engineering tools is increasing rapidly, continually broadening the potential threat landscape (e.g., reFlutter, flutter-spy, blutter).

Common Vulnerabilities

Despite its advantages, Flutter apps are not immune to common vulnerabilities:

Privileged Access Issues: Rooting and jailbreak concerns remain prevalent.
Dynamic Attacks: Techniques such as hooking frameworks (e.g., Frida, Xposed) pose significant risks.
App Cloning and Repackaging: Unauthorized duplication of apps is a persistent threat.
TLS Pinning Bypass: Critical for defending against man-in-the-middle attacks.
Session Hijacking and App Impersonation: Compromise user sessions and mimic legitimate apps.
Malware: Leveraging app permissions (accessibility misuse, screen sharing, keyloggers, SMS OTP interceptors, etc.) for malicious activities.

Developer Awareness

Flutter developers must stay informed about security threats and evolving attack vectors across all supported platforms. This demands n-depth expertise and continuous learning, making app security a specialized area within software development.

Essential Security Hardening Measures

In the financial sector, regulators mandate the adoption of a range of security techniques, which can be categorized into three primary areas:

Runtime Application Self-Protection (RASP): Implement client-side measures to monitor and react to integrity and environment compromises.
API Protection: Safeguard against app impersonation using tools like Firebase App Check, attestation services, or API protection SDKs such as AppiCrypt.
Anti-Malware: Detects and mitigates risks posed by malicious apps on client devices.

Basic controls can often be implemented using freemium or community-supported tools. However, advanced enterprise-grade protection typically requires custom development or commercial security solutions.

Advances in Mobile Security Tools for Flutter

The proliferation of app-to-API end-to-end protection solutions (such as App Attestation, AppiCrypt, and AppCheck) is effectively countering the escalating threats from mobileoriented API abuse. These threats encompass App impersonation techniques such as botnets, password enumeration scripts, data scraping, promotional abuse, fake registrations, and phishing campaigns.

However, due to Flutter’s compiled nature, Static Application Security Testing (SAST) tools have not yet reached the level of sophistication seen in native applications. This presents a challenge in maintaining security parity with other platforms. Conversely, the advent of Software Bill of Materials (SBOM) analysis has simplified the examination of third-party dependencies, thus enhancing the thoroughness and effectiveness of security assessments.

Overall, while there are still areas needing improvement, the strides made in mobile security tools for Flutter demonstrate significant potential in safeguarding against complex and evolving threats.

Budget Considerations

App issuers should allocate 20% to 25% of development and maintenance budgets to security features. It’s crucial to recognize that due to the dynamic nature of attack vectors and operating system updates, ongoing maintenance costs for security features may be significantly higher than initially estimated.

Conclusion

Proactive security measures are not just beneficial but essential for app protection in today’s dynamic threat environment. Ensuring comprehensive security requires both strategic investment and dedicated expertise.

Written by Sergiy Yakymchuk (CEO at Talsec)

Detect system VPNs with freeRASP

System VPNs may be used to mask illicit activities, evade compliance controls, or access services from unauthorized regions.

Detecting a running VPN service on mobile devices is critical for security-sensitive applications, as it can indicate potential privacy and security risks. VPNs can obscure the user’s actual IP address and route data through servers potentially under external control, which might interfere with geographical restrictions and bypass network security settings intended to protect data integrity and confidentiality.

Such anonymizing features could be exploited to mask illicit activities, evade compliance controls, or access services from unauthorized regions. FreeRASP checks whether the system VPN is enabled.

Introducing Talsec’s advanced malware protection!

At Talsec, we believe apps should have the option to detect risky environments, including suspicious malware, to ensure no sensitive information is leaked. Let us introduce our advanced in-app malware protection!

https://docs.talsec.app/freemalwaredetection

Active protection against:

Known malware
Ongoing malware campaigns
Counterfeit app clones
Tapjacking
Accessibility Screen readers
Other potentially risky apps

Malware detection capabilities include:

Scanning the device for blocklisted apps
Identifying apps installed from untrusted app stores
Detecting side-loaded apps from unverified sources
Apps requiring risky permissions

Reporting and logging:

Any unwanted findings are reported back to the app
All findings are logged for further analysis and tracking

https://docs.talsec.app/freemalwaredetection

Written by Tomáš Soukal — Security Consultant

Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️

In an increasingly interconnected world, the need for robust application security has never been more critical. Capacitor, with its remarkable ability to build cross-platform apps using web technologies, empowers developers to create stunning applications with ease. However, as the capabilities of our apps grow, so does the importance of safeguarding them against a myriad of potential threats.

With a native runtime such as Capacitor, it is fairly easy to turn any web app into native apps for both Android and iOS. You can quickly use the native APIs and access common device functionality, which is awesome, but at the same time, it adds another level of complexity because when you access native APIs, you are imposing yourself to native security issues as well. And trust me, you don’t want to underestimate these challenges.

As a practical example, consider one of the most common security concerns: reverse engineering. Mobile apps are typically distributed in formats like APK (for Android), AAB (Android App Bundles), or IPA (for iOS). These distribution files contain bundled JavaScript code essential for the application’s functionality.

Despite attempts to obfuscate the code through minification and adhering to industry standards like OWASP MASVS (Mobile Application Security Verification Standard), a person with the necessary knowledge can still extract your code with relative ease. There are even utilities like JSTool that can effectively reverse the minification and reveal the original code, potentially exposing sensitive keys and API calls. Afterwards, it’s all in the hands of the attacker.

Successful attacks like these may lead to loss of revenue, exposure of sensitive data, damage to the brand and reputation or leaked intellectual property. And that’s where we want to help you.

What is freeRASP?

Talsec freeRASP is a freemium mobile security SDK designed to make app protection straightforward and accessible. It offers robust protection against a range of threats and is supported on both Android and iOS platforms. freeRASP also provides customized modules for a number of multi-platform tools, now including Capacitor.

From a developer’s perspective, freeRASP acts as an additional protective layer, simplifying the handling of certain attack vectors. This allows you to focus on other critical aspects of your app while safeguarding your users. freeRASP can detect and inform you about various attack scenarios, including reverse engineering, repackaging, cloning attempts, and much more.

Join us as we explore how freeRASP integrates with Capacitor, helping you defend your apps against attacks and vulnerabilities, and ultimately, ensuring your users’ safety. Say hello to enhanced security and peace of mind for your Capacitor apps — let’s dive in.

Why Do You Need RASP?

Mobile app security is a complex challenge that goes beyond traditional security measures like encryption and certificate pinning. Attackers constantly seek vulnerabilities in your app that may not be immediately obvious. A single security breach can have severe consequences for your reputation and user trust.

The need for Runtime Application Self-Protection (RASP) solutions has grown significantly with the rise of mobile technologies. While there are several security libraries available, freeRASP stands out by offering comprehensive protection across various attack vectors.

Based on our experience, a selection of the most common attacks include:

App repackaging and cloning
Re-publishing of tampered apps
Running the App in compromised OS environments (rooted/jailbroken OS, hooking app during runtime, emulators)

freeRASP is designed to detect and mitigate these types of attacks, providing an extra layer of defense against evolving threats.

Integrating freeRASP with Capacitor

Now, let’s dive into the process of integrating freeRASP with the Capacitor platform. You can always find up-to-date integration manual along with detailed description of configuration in our GitHub Integration Guide.

Step 1: Install the Plugin

To get started, install the capacitor-freerasp plugin:

$ npm install capacitor-freerasp
$ npx cap sync

Step 2: Set Up Dependencies

For Android, ensure that your project’s minimum SDK level is set to 23. Update your variables.gradle file accordingly:

ext {
    minSdkVersion 23
    compileSdkVersion 33
    // ...
}

Step 3: Setup Configuration and Callbacks

Import freeRASP in your app’s entry point file:

import { startFreeRASP } from 'capacitor-freerasp';

Configure freeRASP by providing the necessary settings. You’ll need to specify configuration for both Android and iOS, as well as common configuration options. Here’s a sample configuration:

const config = {
  androidConfig: {
    packageName: 'com.yourapp.package',
    certificateHashes: ['yourSigningCertificateHashBase64'],
    supportedAlternativeStores: ['storeOne', 'storeTwo'],
  },
  iosConfig: {
    appBundleId: 'com.yourapp.bundle',
    appTeamId: 'yourTeamID',
  },
  watcherMail: '[email protected]',
  isProd: true,
};

Additional Note About Obfuscation

To enhance security, consider obfuscating your app’s code. Obfuscation makes it harder for attackers to reverse engineer your app and disrupt freeRASP’s operations. You can enable code minification and obfuscation for Android in your build.gradle file:

android {
    buildTypes {
        release {
            minifyEnabled true
            shrinkResources true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

Security Report

With this weekly summary, you get insights into your app’s security state, including detected threats and device characteristics. By keeping an eye on these reports, you can proactively address security issues before they become too severe and make your app even safer for users. If you are curious how such report looks like, take a look at the screenshot below 👇.

Commercial Versions (RASP+ and More)

While freeRASP offers a robust free version, Talsec also provides commercial versions like RASP+ with advanced features and support. These versions offer additional protection, including API protection, App Integrity Cryptogram (AppiCrypt®), security hardening, and more.

RASP+ allows easy-to-implement API protection and App Integrity verification on the backend to prevent API abuse from:

Bruteforce attacks
Botnets
API abuse by App impersonation
Session-hijacking
DDoS

It is a unified solution that works across all mobile platforms without dependency on external web services (i.e., without extra latency, an additional point of failure, and maintenance costs).

Learn more about commercial features at talsec.app.

Finally, stay protected before it’s too late 😎

If you read through the whole article, thank you. Maybe now it’s time to check out freeRASP. It’s free, so there’s nothing to lose and who knows, maybe it will save you from a couple of sleepless nights.

We’d be happy to read your thoughts in the comments below 👇 or in one of our GitHub repos 📄.

Written by Tomas Psota, developer @ Talsec

Safeguarding Your Data in React Native: Secure Storage Solutions

While there are multiple options when it comes to choosing a library that implements secure storage in React Native, it is crucial to ensure that the data are stored properly and ideally without any known vulnerabilities. At Talsec, we made an effort to go through the most popular packages, so you can get an image of what is on offer.

This article assumes you are familiar with:

How data storage works on native platforms
Android Keystore, Keychain and how they are used

How to approach secure storage challenges?

Recently, the Talsec team started to support React Native by providing the freeRASP and RASP+ SDKs. We are currently exploring ways how we could go even further and are considering to add a secure storage solution that would follow the latest security standards. In order to proceed, we evaluated the existing secure storage options within React Native and seek input from the community to understand your expectations regarding this feature.

We would love to share our findings so far with a brief description of various secure storage packages available for React Native, along with their benefits and potential vulnerabilities:

1. react-native-keychain

✅ Pros: This is a popular package that securely stores sensitive information using the Keychain on iOS and the Keystore on Android. It encrypts data and provides secure storage for confidential data.
⛔️ Cons: While react-native-keychain provides secure storage, it is not immune to all vulnerabilities. The package stores sensitive information, e.g. username and password in clear text in the keychain file, and you can find several concerning issues that are open on GitHub, mentioning that the data from iOS keychain can be retrieved. On top of that, it can only store username/password combination.

2. react-native-encrypted-storage

✅ Pros: react-native-encrypted-storage is another third-party library that offers secure storage for sensitive data. It uses EncryptedSharedPreferences on Android and Keychain on iOS, encrypts data using AES-256 encryption, providing an extra layer of security.
⛔️ Cons: There are some memory leaks detected by Xcode profiler and Keychain is not cleared when your app is uninstalled on iOS — this issue, however, is well documented and can be fixed.

3. rn-secure-storage

✅ Pros: rn-secure-storage encrypts data using AES-256 encryption and securely stores it on the device. Plus, it can store any [key, value] pair.
⛔️ Cons: The implementation uses secure-preferences package to store the data, which is nowadays deprecated and it is encouraged to use EncryptedSharedPreferences from androidx.security instead.

4. react-native-async-storage

Okay, this package doesn’t implement any kind of secure storage and is not intended to store any sensitive data. However, it is still a popular solution for data storage in React Native, prompting us to mention it in this article as well.

✅ Pros: Offers a simple asynchronous storage. It is built on top of the original React Native’s AsyncStorage and provides a convenient API for storing and retrieving data.
⛔️ Cons: The package requires devs to handle encryption of the data on their own, as it stores data in plain text, making it vulnerable to unauthorized access if the device is compromised. We would suggest to avoid using AsyncStorage for sensitive information like passwords or authentication tokens.

Problems with Hardware-Backed Keystores

Although many devices offer hardware-backed keystores, there is a significant number that lacks it. Moreover, certain devices, particularly those running on Android, face challenges with hardware-backed keystores due to manufacturer-provided software. These implementations either fail to function properly or resort to software-backed alternatives. I suggest checking out the list of public resources related to Trusted Execution Environment (TEE). This resource compilation provides valuable information on reverse-engineering techniques and strategies for achieving trusted code execution on ARM devices.

Another important consideration is that although hardware-backed keystores may provide better protection against key extraction, they are still susceptible to runtime attacks, just like software-backed keystores. During runtime, attackers can still access encrypted data stored in the keystore using rooted devices, a repackaged or tampered app, or hooking frameworks.

Therefore, we have concluded that the most effective approach which will mitigate the risk of runtime attacks is a combination of secure storage with RASP-based solution.

Boosting Software-Backed Keystore with RASP

By integrating a software-backed keystore into the RASP (Runtime Application Self-Protection) solutions, we can address two critical aspects simultaneously:

Reliability: The enhanced RASP solution will offer a dependable keystore mechanism that does not rely on secure hardware. This ensures the integrity and protection of cryptographic keys, even on devices that lack hardware-backed security features.
Security: While the keystore itself remains vulnerable to threats like root access and runtime hooks, a closely integrated keystore within RASP can mitigate these risks. It can dynamically determine whether to store or retrieve data based on the current security state of the device.

Through the integration of a software-backed keystore, the enhanced RASP solution provides a comprehensive and reliable approach to data protection, overcoming limitations related to hardware availability and compromised devices.

That’s it!

We hope this summary helps you make an informed decision when considering a secure storage option for your React Native project. But also, we’d be happy to hear your opinion. Would you use a software-based secure storage SDK for React Native that utilizes a hardcoded obscured encryption key?

Please share your experiences, suggestions, and any other secure storage tips. Let’s discuss in the comments below! 👇

Happy coding.

written by Tomas Psota, developer at Talsec

https://talsec.app | [email protected]

🔒 Flutter Plugin Attack: Mechanics and Prevention

Did you know that you can remove plugins dynamically from a Flutter app on Android?

During the implementation of a new feature on freeRASP (more about it ), we noticed that unregistering of plugins is possible using the class. While it may seem unimportant, we decided to push the limits and explore potential attack vectors tthat could lead to the complete disabling of plugins from an external source. As a result, we conducted a small check of the plugin architecture security on Flutter. During this investigation, we discovered what we consider to be a serious problem.

Malicious plugin can remove other plugins at runtime

In Flutter, the class plays a crucial role in managing plugins. The generated GeneratedPluginRegistrant class utilizes it to register plugins, which are then executed during startup. However, you have the flexibility to create your own plugins, acquire plugin instances, and even unregister plugins if needed. Therefore you can create plugin which removes other plugins:

If you have a class reference available, you can also selectively remove specific plugins:

This can even be also achieved directly from your app’s MainActivity on Android (which extends FlutterActivity) without the need for malicious plugin. By leveraging a bit of reverse engineering and code injection (similar to what we discussed in our ), you can achieve this:

How can you secure your app?

You can follow these measures if you want to make sure, that your code is protected againsts such attacks:

🔒 Opt for reputable plugins — Choose well-maintained plugins with a considerable number of likes and positive user feedback.

🔒 Inspect the plugin’s source code — Take a closer look at the codebase for any suspicious lines or potential vulnerabilities.

🔒 Always obfuscate your application — Apply obfuscation techniques to make your app less readable and more obscure.

How do we secure our solution?

We faced the same issue at Talsec (link), while trying to hack our own products + and which are critical security components and should have maximum resilience. Finding at least a partial solution was very important to us. In our RASP solution, (coincidentally) solves this problem.

RASP (Runtime Application Self Protection) Security technique that actively defends application by real-time controlling the security state of the device, integrity of the OS and App.

For context, AppiCrypt is an app attestation tool that protects your API by generating a cryptogram — information about the security state of the device, which is then used in the request header. The backend then checks the cryptogram to determine whether the device is compromised and decides whether to allow or deny the request.

Since the plugin cannot generate a cryptogram (CryptogramFailureException is thrown due to the PlatformExceptionthrown by MethodChannel), the app can be considered untrustworthy. Without a cryptogram, you cannot make network requests backed by AppiCrypt.

Therefore, as a security measure, we can also add:

🔒 Dynamically validate plugin functionality — If the plugin throws a PlatformException, it can indicate that it is unable to communicate with the native side.

While it won’t directly tell you that the plugin has been disconnected, it can give a hint that something unusual is going on.

Stay safe and code with confidence! 💪

Written by Jaroslav Novotný — Flutter developer

Build secure apps in React Native

It is predicted that there will be whopping . With great power comes great responsibility, and every experienced software developer should thrive to follow security standards to ensure that their app is secured against cyber criminals. Technologies like RASP (Runtime Application Self-Protection) are made to shield your app against attacks that occur in the runtime. In this article, we’ll show you a RASP-based security library for your React Native app which can detect a wide range of potential attacks and vulnerabilities.

But it is unlikely that someone is going to mess with my app…

Well, statistically yes. But reality is quite different. When your app is republished or the data of your users are compromised, it’s too late to think about security. Your reputation is now weakened. You are that ‘one in a million’ person that was unfortunate enough. However, if you found this article, then you most likely want to find out how to make your app more secure. And this is a great starting point!

Just to give you an example, one of the most common security risks is reverse engineering. React Native apps are shipped as APK, AAB, or IPA files with the JavaScript code that is bundled with the application. This code can be, with a small effort of a person that knows what he is doing, easily extracted. Although the code is minified, there are utilities like that make it possible to unminify them and reveal your sensitive keys or API calls.

With a hybrid platform like React Native, the development of your application may cost less resources and time. That’s great! Unfortunately, you still have to solve platform-specific problems and focus on security on both iOS and Android. In addition to that, hybrid platforms may introduce new security flaws with adding more complexity to how your app is executed. And you don’t want to ignore them. If you want to keep your app safe, you can follow industry standards, such as .

Our contribution to React Native community

When we started to think about extending our support to React Native at Talsec, we already had with protection for native Android and iOS apps, as well as other frameworks like Cordova and Flutter. The only challenging part was to understand how to create the bridge between native code and JavaScript, which would expose the freeRASP to the consumer, so you don’t have to spend your time messing around with native modules, testing and verification. We did all of this for you and are proud to introduce .

What is freeRASP?

freeRASP is a mobile in-app protection and security monitoring plugin. It aims to cover the main aspects of RASP (Runtime App Self Protection) and application shielding, enabling the app to defend itself against threats. It allows mobile applications to check the security state of the environment they run within, actively counteract attack attempts, and control the integrity of the app.

From the developer’s point of view, freeRASP serves as an extra protection layer that helps you to handle certain attack vectors with ease, while you can aim your focus on other areas. You are also protecting the users of your app as freeRASP is able to detect and take actions if the app is being executed on a rooted or jailbroken device, whether the app is tampered, etc.

freeRASP is designed to combat many significant attack vectors, thus creating an obstacle that prevents your app from intrusion. This gives you a real advantage against other apps which do not protect themselves in any way.

So far so good, but how do I use it?

It’s quite simple, actually. Just follow the 4-step tutorial below. .

Step 1: Install the package

You can add freeRASP the same way as you would with any other package. The plugin is installed via your favorite package manager. With yarn, for example, you can do it like this:

Furthermore, for Android apps you need to modify android/build.gradle to add our maven repository containing freeRASP. iOS requires Pods to run our plugin. Find out more .

Step 2: Configure the freeRASP

This is a place where you set up required fields (package name, signing certificate hashes, bundleId, teamId), which will help freeRASP to detect threats correctly. Don’t forget to add also your email address so you don’t miss your regular security report (more on that later). The configuration might look like this:

Step 3: Set up threat reactions

After a threat is detected, freeRASP fires an event that is consumed by your app. With freeRASP, it’s the developer’s responsibility to configure what should happen after such event is registered. You can for example kill the application, notify the user that a threat has been detected or just ignore the threat. It’s all in your hands. Just create an object that has threat name as a key and function as a value, like it is shown in the example below:

Step 4: Start the freeRASP

Good, all setup is done! The last missing part is to start looking for threats. We provide a custom hook that handles all required logic for you, as is registering and unregistering of the listeners. The hook is a part of the freeRASP package and needs to be imported:

Now pass your config and threat reactions to the imported hook:

The hook will now initialize freeRASP with your configuration and start to look for threats. That’s it!

Additional information

There are the dev and release versions of the library. The dev version should be used only during the development process of the application as it disables some of the checks (e.g. if you would implement killing of the application on the debugger callback). In other cases, you always want to use the release version. On Android, it is handled automatically, whereas, on iOS, the step is a matter of adding a pre-built script into the run phases and embedding a symlink to the correct framework. Do not worry, it is quite easy ;)

freeRASP is available to everyone, free of charge. However, it uses a bridge between JavaScript and native code, which is essentially an additional place that could be exploited. We are able to remove this redundant communication while still keeping your app safe. You can read more in the Enterprise Services section down below.

Example of a security report

This example presents a report of a mid-sized FinTech app:

Summary

The demand for secured apps nowadays is already high and will only increase in the future. Therefore developers should thrive for secure solutions. freeRASP is a tool that can help you to achieve this task. With all its security checks, it can be your good friend and keep you out of trouble. freeRASP is a powerful tool that gives you freedom of choice in how you set up the reactions to detected incidents. What’s more, it is available as a package, which makes the integration pretty straightforward. Don’t forget, freeRASP is available free of charge, why don’t you try it then?

written by Tomas Psota, developer at Talsec

| | Read also |

How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)

OWASP Mobile Application Security guides all phases of mobile app development and testing. The Verification Standard and the Testing Guide will provide you with a security standard and a baseline for mobile app security verification curated by a community dedicated to improving software security. Put in the right RASP suite to get the best passive and active security mix.

Part 1 () ↓

Disassemble app.
Extract its secrets.

Part 2 (this article) ↓

Make a fake clone.
Check every transmitted JSON.
Inject code.

Part 3 () ↓

Steal authentication tokens.
and attack the API.

How to make a fake clone, aka “repackaging attack.”

To create a fake or “cloned” version of an Android app using , you first need to decompile the original app using the apktool d command. This would extract the contents of the app, including its resources, manifest file, and compiled code, into a directory on your computer. Next, you need to make the desired modifications to the app, such as changing its name, icon, or functionality. Once the modifications are complete, you can use the apktool b command to rebuild the app into a new APK file. This APK file would contain the modified version of the app, which you could then install on an Android device.

While you could fiddle with Flutter’s binary libapp.so file, I would just inject code into MainActivity.smali file, which is present in every Flutter Android app. The code used in this file is called smali. You can modify it as you wish. This can be misused to add a custom Activity, paywall, ads, or for credential harvesting. An adversary may be able to load native library containing reusable malware code. In my experience, the injection of hidden malicious native code is actually quite common.

Let’s make some code injections

This is the MainActivy.smali file in a stock Flutter app after being disassembled with apktool:

Example 1: Hello World

This code is a simple ‘Hello, world!’ string written into log.

Example 2: Open browser intent to a malicious website

This code will prompt a user to open the adversary-controlled phishing page.

Don’t reinvent the wheel and follow the standard

Let’s change the side and assume you want to protect your app against such attacks instead. I have great news! There is a standard for that. It’s called OWASP Mobile Application Security (OWASP MAS) which can guide you. It is a comprehensive guide for mobile app security with actionable solutions for many problems.

I should now advise you to visit the OWASP MAS using the link below. But it would also mean I would lose your attention. If you promise that you will return here, you can click it:

MAS Verification Standard (MASVS) will help you to understand something called security levels (L1 Standard Security, L2 Defense-in-Depth, R Resiliency). It will also introduce you to respective categories and their requirements:

MAS Testing Guide (MASTG) holds platform-specific detailed content about all security techniques. Unfortunately, it is targeted at iOS and Android devs and is less beneficial to Flutter devs.

MAS Checklist is a sheet used to check all requirements one by one to ensure nothing was left.

Check every transmitted JSON

JSON attacks, also known as JSON injection, refer to a type of backend web application vulnerability that occurs when user-supplied data is passed through a JSON parser without proper validation or sanitization. This can allow an attacker to inject malicious code into the JSON data, which can then be executed by the application.

To make a JSON attack, an attacker would need to craft a malicious payload that is designed to exploit the vulnerability in the target application. This payload could be included in an HTTP request, hidden in a file, or delivered through some other means. Once the payload is delivered to the application, it would be parsed by the JSON parser and executed, potentially allowing the attacker to gain unauthorized access or perform other malicious actions.

To protect against these types of attacks, it’s important to implement proper input validation and sanitization, as well as keep backend web applications up to date with the latest security patches. Another method to mitigate the JSON injection attack is to ensure that API call comes from a legit client and not crafted by an attacker who may have valid authentication token. Talsec provides the technology to verify client-side legitimacy and integrity. In comparison with the similar Firebase AppCheck technology the can do this with every API call.

Let’s catch some JSON’s!

I will use the tool to break into an app and intercept it’s JSONs. The hacked app will reveal the content of its network traffic in the Burp proxy.

I have chosen an arbitrary automotive app featured on the Flutter homepage. Just imagine that hackers would have discovered a vulnerability in such an app, allowing them to open the car’s trunk remotely. Such scenarios are actively researched nowadays and serve as a reminder of the importance of regularly updating software and maintaining strong security measures to protect against hackers.

Seeing the capabilities of this app makes me wonder what would happen if someone could exploit it. Remote unlock, car horn, remote cameras, car location and other super-sensitive operations can be invoked within this app.

To inspect traffic using the Burp Interceptor proxy, you first need to set up on your computer and configure your testing device to use the Burp proxy. Once Burp is set up, you can use the Interceptor tab to view and manage incoming and outgoing traffic. The Interceptor tab displays a list of requests and responses, along with details such as the URL, method, headers, and payload.

I downloaded the app from my testing device to my computer and reFluttered it:

At this moment, I am able to inspect every request, uncover hidden advertising campaigns, and so on. In general, this opens access to data like:

API architecture
Source URLs
HTTP headers
Bearer tokens
Transmitted data (i.e., JSON)

Shields up! Runtime Application Self-Protection

A plethora of threats can be solved by a potent runtime application self-protection (RASP) library. There are various free solutions, but I have chosen the since it covers most areas, and I also contributed to this library.

Key features are the detection and prevention of root/jailbreak (e.g., unc0ver, check1rain), hooking framework (e.g., Frida, Shadow), untrusted installation method, and App/Device (un)binding.

Speaking of OWASP MAS levels, you would mostly be interested in RASP if your app should be compliant with R-level oriented on resiliency aspects. Actually, many devs integrate freeRASP as a future-proof solution to stay ahead even before their app truly needs R-level. This is something I am really proud of.

I prepared a small demo below showing freeRASP’s checks triggered on a rooted emulator. However, you can process the threat flags as you need. From my experience, the most common way is to show a dialog to warn the user about a tampered app or device and forbid any sensitive operations. I also wrote about freeRASP in this previously.

Actionable steps for app owners

Find out which security level (e.g., L1+R) is recommended for your app:
Try out freeRASP to get fundamental RASP features into your app:

Thank you for reading the second part of this guide. It’s always great to have an interested and engaged reader, and I appreciate your time and attention. I hope the information I’ve provided has been useful and informative! Thank you again for joining me on this journey.

Part 3 of this series will be available soon. Subscribe to Talsec and maybe try to crack-open some Flutter app in the meantime!

written by Tomáš Soukal, Security Consultant at Talsec

freeRASP meets Cordova

Highly recognized freeRASP SDK providing app protection and threat monitoring for mobile devices arrived in the Cordova ecosystem! This article will help you understand runtime application self-protection, explore freeRASP capabilities, and shield your app against threats!

The popularity of the hybrid app development

The popularity of hybrid platforms continues to grow, and companies have adopted them widely. They allow developers the possibility of writing the code once and reusing it on both Android and iOS native platforms. Often, the development of such apps costs less time and resources. Nowadays, there are many popular hybrid platforms (e.g., Flutter, React Native, Ionic, Cordova, or Xamarin).

Hybrid app security and freeRASP

Cross-platform development frameworks, in general, suffer when native platform-specific problems need to be solved and security has to be handled. In addition, hybrid platforms can introduce more specific issues. Sacrificing security to be able to do cross-platform development is a no-go.

“What should the developers do?”

First of all, ensure that the applications follow the standards for mobile app security () for the native parts. Besides security requirements for the architecture, data storage, or network communication, the application should be secured with advanced security solutions such as runtime application self-protection (RASP) to protect against tampering, distribution via an unofficial way or the app being run in a compromised environment.

“But developing such solutions is quite expensive, right?”

Right, it is pretty expensive to develop it in-house. Luckily, there are companies which can handle the problem for you. Moreover, there are !

“What does freeRASP have to do with all of this?”

In the past, we have observed a strong growth in the popularity of Flutter and chose it as our first contact with cross-platform development. We apps and developed a , which has been a great success and the developers’ feedback vastly improved our product.

Since releasing a freeRASP for Flutter, there have been a number of developers asking whether we can support other platforms. While some of them have successfully integrated the native versions with some of the frameworks, there were problems using it with the Cordova framework. We decided to take a closer look and develop an easy-to-integrate plugin to make Cordova developers’ lives easier. And that’s how was born!

freeRASP for Cordova

freeRASP for Cordova is a mobile in-app protection and security monitoring plugin. It aims to cover the main aspects of RASP (Runtime App Self Protection) and application shielding.

It is designed to combat:

Reverse engineering attempts (debugging, running in emulators, hooking)
Re-publishing or tampering with the apps
Running an application in a compromised OS environment (root/jailbreak)
Malware, fraudsters, and cybercriminal activities

“How can I use it?”

It is as easy as doing a minor prerequisite and adding a plugin to the application. Then you rely on freeRASP to protect your app. You can handle any threat that will be detected (e.g. attached debugger to the app) on your own, for example, by killing the application.

As Talsec uses Kotlin and Swift for the implementation of the native side, there is a minor prerequisite which must be done before adding the plugin.

Kotlin must be enabled, and the version must be set up in the config.xml file
A swift support plugin must be added

After that, you can easily add the plugin to your application. After initial importing, you set up an initial configuration (package name, signing certificate hash, bundleId, teamId) to have freeRASP detect some of the threats correctly. You also need to provide a mail address to which will be sent.

Next, you define a threat listener function, in which you can handle the detected threats as you wish, for example, killing the application, notifying the user that a threat has been detected or just ignoring the threat. The threat listener:

freeRASP can be started after the Cordova initialization is completed. The initialization should be done inside the onDeviceReady function in index.js:

As the last step, you need to differentiate the dev and release versions of the library. The dev version is designed not to complicate the development process of the application (e.g. if you would implement killing of the application on the debugger callback). It disables some of the detections. On Android, it is handled automatically, whereas, on iOS, the step is a matter of adding a pre-built script into the run phases and embedding a symlink to the correct framework. Do not worry, it is quite easy ;)

How does it work under the hood?

freeRASP for Cordova is composed of freeRASP and counterparts.

Android

It contains a Gradle file, which contains the dependency for the Android freeRASP repository.

It also contains a TalsecPlugin.kt file, which provides the API to the freeRASP for communication with Cordova. It parses the configuration input given from index.js, registers the threat listener and starts the detection. If any threat occurs, it sends a message back to the index.js to the threatListener function. If any error or incorrect input occurs, it sends back an error message to the index.js.

iOS

It contains built binaries (both Debug and Release versions) of the freeRASP iOS library.

It also contains a bridging header for the Objective-C -> Swift bridge. The TalsecPlugin.swift file is similar to the Android’s TalsecPlugin.kt. Moreover, it uses a static object to preserve the state of the delegate given by Cordova for sending messages.

The iOS version also contains an after_plugin_add script to create a symlink to one of the built binaries (default is Debug) at the correct place. You guessed it right! This is the symlink used in the integration step, which is recreated after changing the Debug <-> Release build of the application.

Cordova

It contains a simple Promise, which passes the configuration from index.js to respective native implementations and returns back a success or error message.

Customisation, demo application and distribution

The plugin is designed to be used easily without the modification of the native parts. The reactions to threats can be modified in the index.js easily in the threat listener, and configuration is also passed from index.js.

However, you can set up the configuration, threat listener and initialisation also from the native parts and not interact with index.js at all, for example, if you would prefer using a “native way” of killing the application.

We have prepared a which integrates the plugin. It shows the state of the threats with simple visualisation: green: OK, red: NOK (a threat happened). The threat listener is implemented in index.js. If a threat is detected, it changes the backgroundColor of the element corresponding to a given threat to red colour.

Except for the , the plugin is also distributed via NPMJS:

Next steps

Security is essential, even though we tend to forget about it when it comes to hybrid platform applications. However, the freeRASP solution is not bulletproof.

In the freeRASP, it’s up to the developer to implement the reaction for the individual threats (e.g., root, debug, simulator, device binding), and because each developer can implement their own logic for detected threats (e.g., step-up authentication, business logic flow modification, killing the application), we need to provide API for the callback, so they can implement their own logic.

The javascript part of the application tends to be more vulnerable to manipulation/injection/tampering, and it would be better to start Talsec in the native part of the code. However, even the reaction on the native side can be easily modified or stripped by an experienced attacker.

We have multiple solutions (pre-configured custom build SDK, in-SDK reactions and killing mechanism, AppiCrypt) in our business solution, preventing precisely those types of attacks. To check out what is the difference between freeRASP and Business RASP+, see this page:

written by Matúš Šikyňa, Developer at Talsec

| | Read also |

Philosophizing security in a mobile-first world

Cybersecurity has been a global problem for several decades. However, we are still in a phase where the exponential growth of security exploits leads to significant financial losses for businesses and individuals.

The size of the cybersecurity market was $3.5 billion in 2004. It is approaching $150 billion in 2021 and is expected to reach USD 352.25 billion by 2026. Regardless of such tremendous investments in this domain, the overall situation with security seems to be getting worse. So why isn’t the vast number of available technical solutions solving the cybersecurity problem?

What is wrong with Cybersecurity?

Ifwe ask an average technologically-minded manager in the security sector, we will get a simple answer. It is due to the low adoption of various brilliant tech solutions available on the market. Maybe… But isn’t this an over-simplified approach?

Suppose we want to radically improve cybersecurity and create a solution to gain mass user adoption. How would we get there? We must elaborate on the subject from different perspectives and go beyond the pure engineering view of security. Why?

One of the obstacles is that engineering-minded people tend to project the confusion in the problem statement onto users and explain the low adoption of security solutions by users’ ‘immaturity.’ On top of that, engineers quite often fall into an observation bias called the streetlight effect.

It is common for engineers to narrow the problem domain to a smaller segment that is more “comfortable” for research. They usually frame a problem, having in mind an “elegant” solution based on a “known” or “proven” technical framework. Meanwhile, the “core issue” may remain in the dark.

Technically minded people hate unclarity and vague problem statements. And it makes sense; we have to admit that otherwise, it is much harder to estimate and commit to the time needed for implementing the solution.

To tackle these problem statement misconceptions, we need to understand the difference between objective security issues and how users experience or perceive these problems. Remember the famous quote by Einstein “If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and five minutes thinking about solutions.” Generally speaking, we can’t just leave the problem statement fully defined by engineering-minded people. We need to make sure that we address the root problems in the security domain and verify if the selected methods are relevant.

The best approach to combat biases and go to the core of the issue is philosophizing. For example, let’s take a closer look at security through the eyes of mobile app users.

Security, Freedom, and Safety

Usually, the word “security” has a positive connotation for engineers. A good solution is a secure solution. Isn’t it so, dear CTOs?

While users often have ambivalent feelings about security, most have just run into too many unpleasant situations due to security measures. Have you ever blocked your payment card by incorrectly typing your PIN several times? Then you probably know how annoying security measures can be.

The core reason that security evokes negative feelings is that security, by definition, implies some limitations on freedom or privacy. It is especially true if an external party has imposed such limits out of our direct control.

NB: We may not realize it but people are quite used to being limited in freedom for the sake of security. For example, most of us were limited in our activities by our parents protecting us from the dangers of the external world. Another example is luggage scans in airports that somewhat intrude on our feelings of privacy.

There is often a “good reason” behind these limits, and it is communicated to users as a tradeoff between security needs and user convenience. But still, we often feel that it is unbalanced and doesn’t work how it should.

NB: Just think for a while how many potentially good online and offline services you have stopped using just because of annoying security measures.

The notion of safety is very close in meaning to security. But safety is subjective, i.e., a person can feel secure, in contrast to security, which is presumed to be a generic and objective concept. This difference explains why safety is perceived much more positively. The conditions leading to feeling safe are individual. Individual safety conditions may even contradict security conditions. And vice versa, security measures can conflict with and harm the feeling of safety. For some people, safety would mean accepting a certain comfortable level of insecurity, taking risks, and relying on self-protection skills. For others, it would mean the delegation of security to a trusted party and sacrificing some portion of personal freedom and privacy.

There is an essential implication in the subjective quality of safety. When we feel safe, it doesn’t necessarily mean we are objectively secure, and threats are absent.

Let’s sum up and list a few conclusions we have come to by now:

Security is not equal to safety; security measures are generic while the conditions of feeling safe are individual;
Security measures could harm the feeling of individual safety when an external entity manages it. In this case, security limits the users’ freedom and privacy that can go beyond the individual comfort zone.
Practically, users desire individual safety but may not have the full picture about security threats;
Engineers usually push generic security but have limited visibility into individual safety preferences and how security measures may impact them;

Both users’ and engineering’s views are influential and should be bridged and reconciled. Though, it is much easier said than done.

Social Contract in the Apps world

Many bright minds and philosophers have tackled the Freedom and Security dilemma from the ancient Greeks till modern times. The concept of the social contract was introduced and elaborated on in the 17th-18th century (Thomas Hobbes, John Locke, Jean-Jacques Rousseau). The social contract is an unwritten rule or agreement within the society that is supposed to balance and regulate the level of acceptable compromise between personal freedom and limitations for security provided by institutions, the state, or ruling classes.

In democratic states, citizens should influence this contract through the election process. Let’s assume for now that this mechanism works fine, and we have some control over the contract… I know some of you might say: it’s imperfect, it has a time lag, it is vulnerable to populism, but it still works, and we’ve got no better mechanism so far.

But what about social contracts in our digital life? We also delegate security to some external entities (consciously or not), don’t we?

Let’s use metaphoric language to highlight the parallels and differences between digital and real-life security in a simple thought experiment.

Though experiment about imaginary Apps world

Let’s imagine people living in the digital world like a historical real-time strategy computer game, where every person is a “natural Intellect-driven” game unit. People are surrounded by wild nature and the circumstances of a middle-age period of human history. A very insecure place to live, isn’t it?

The people organized themselves and came up with a collective defense by creating fortresses in towns and dedicated security institutions. These institutions (like states) provided security services to citizens by building fortifications to protect them from enemies while limiting their freedom by introducing rules and taboos.

NB: Keep in mind that such security institutions always had a tendency to misuse the power of the function that they were delegated (security geeks would call this a bug in the system that leads to “elevation of privilege” due to an issue in the “segregation of rights”)

Initially, citizens could go straight to the marketplace. Now they are forced to go through the main gates, pass through some identity verification process, pay taxes, and so on.

Now let’s upgrade this imaginary world, and let’s say these people live in a Mobile Apps World, where every fortress-town is an App.

NB: It is actually not an oversaturated metaphor since people spend 80% of their average online time in Apps.

In reality, Apps are designed to be executed under the supervision of an operating system in a sandbox environment and isolated from other Apps and processes. In our imaginary App world, the operating system is like a state that governs the fortress towns (Apps).

The same as in real life, the protection of the basic set of citizens’ rights is regulated by such states (operating systems). But the actual level of security inside the fortress (App) is still designed by the fortress owners (App publishers). Let’s call them governors.

NB: There would be two dominant states with quite a different regime in our App world: the iOS Kingdom and Androidian Union.

Inhabitants of such a world can quickly jump over from one fortress to another within the state. They can sell products in the marketplace of eBay, keep their fortune in the Revolut fort, and fall asleep on the dirty streets of YouTube. Just like us.

Safety first not a security

In our imaginary App world, the fortress governors must take security very seriously since it is a matter of life and death in assumed middle-age conditions. Also, they are forced to take their citizens’ safety feelings even more seriously because it directly impacts the growth of the population, which is crucial for the economic success of the fortress-town.

Thus, the more financial resources a town has, the better security measures it can afford. So there is a positive feedback loop from users’ safety feelings to security. It doesn’t work vice versa. More severe security conditions harm the population growth, limiting freedom or causing too much discomfort. This is why it is always “safety first” in our imaginary App world in contrast to “security first” that we are pretty used to in our lives.

This also explains why governors can’t fully delegate the balance between security, freedom, and comfort to their subordinates (neither the army nor merchants ). It is an existential question for a given App that is just too important to be delegated. It is directly linked to the mission and economic model of the App fortress.

NB: Thus in the real world the safety strategy should form the “right” balance between freedom, security, and comfort for a given App. Top management shall define or at least arbitrate it. It can’t fully delegate it to marketing-minded or tech-minded subordinates.

Evidence of security 👁️

These imaginary people of the App world have an advantage over us. They can visually observe the security system of fortresses that they consider entering. They can assess the security of the fortress app by a visual evaluation of the walls, gates, towers, or soldiers’ weapons and armor. These town citizens have the luxury of having an evident reason to trust the fortress app. And these citizens can easily guess how responsible and capable the owner of this town is in terms of security.

NB: In the real world, we usually lack clarity on how an app is secured. We only rely on the app review process of the marketplaces and trust in the given brand. This makes a strong link between trust in the brand and individual safety perception of the App.

Real-world App issuers rarely go the extra mile of guiding users through the security benefits of the app and user safety best practices. So users intuitively extrapolate the overall app UX quality to its security. As a result, any glitch in the App harms the feeling of safety just because users expect that security is at the same or worse level of quality as UX. The visual communication of security features, tips, and warnings could detach the perception of security from the rest of the functionalities. This aspect would be an independent factor of comparison with the competitors in the user’s eyes.

NB: The critical advantage of communicating and visualizing the state of App security is that it can help to bridge the gap between the personal feeling of safety and the actual state of user protection.

Security warnings and tips can be presented to only those users that have flaws in their device protection according to in-App protection controls.

NB: In-App protection is a mobile security technology that allows mobile applications to check the security state of the environment that it runs within, actively counteract attack attempts, and control the integrity of the App. Such technology is also called RASP (Runtime App Self Protection) or App-Shielding.

Let’s take a brief look at the Android security statistics collected from 400K devices of mBanking users (in EU countries). To get a general feeling of what percentage of users would deserve some security-related guidance, i.e., they have some fundamental security issues.

About 21% of users ignore the Screen Lock functionality. It exposes users to the risk of misuse of Apps and data breaches if the device is lost, stolen, or used by kids.
About 38% of users don’t use biometrics (like fingerprint scan), while only 12% (48K out of 400K) don’t have this feature available in their device; biometrics is much safer than a password or PIN. Incidentally, using a biometric lock doesn’t mean that data shared with any app or the device’s backend.
1112 users of 400K (0.28% have Rooted devices.). It means that the App integrity and its isolation sandbox can be compromised either through malware or by the user himself.
381 devices ran the App in a debugger mode, and 151 devices ran an emulator. These all are signals of a reverse engineering attack if they are not in the hands of a legal development team.
226 app instances have signs of app tampering (can indicate that the App was cloned, tampered, republished by an attacker, and a clone was installed).

Develop self-defense skills of users 🛡

Our imaginary governors know very well that an efficient defense should include more elements on top of the army and fortifications. Army and walls can probably protect from brute force attacks by barbarians, but it is much less efficient against traitors (aka fraudulent users in the real world), and can’t help against diseases caused by viruses (aka malware).

Fortress app owners could also realize that involving citizens in security affairs would increase the resilience of the town to large-scale problems while making the citizens more loyal and personally engaged.

That is why in the imaginary App world, governors should be very creative with educational activities, training, or performances explaining critical safety practices like how to detect scams and fraudsters, recognize suspicious activities of strangers, and hygiene rules to prevent epidemics.

So what I am pointing out is that businesses will implement user cybersecurity education and its visualization as an integral part of both the Security Journey and user loyalty programs soon.

NB: Some might say I don’t feel like educating my users about cybersecurity. Yes, it is quite a common view. I guess it was the same attitude among airline management before 1984. Since then, the pre-flight safety briefing has become mandatory and we are all quite used to watching the cabin crew demo every time we are about to take off.

Easiness to report an attack 🆘🕭

Every fortress owner in our imaginary world would need to get alarm messages in case an enemy army approaches his fortress. None of the governors would dare to underestimate this subject. It should be easy for citizens to send a signal, “We are under attack!”. That is why alarm bells are placed on every screen square of the app fortress .

In our real-life FinTech apps, it is bizarre, but the “Report abuse” feature is often well hidden. As if app managers prefer “it’s better not to know” that there is a leak in the hold. The most common approach is “in case of emergency, call the Hotline and enjoy the IVR music” and let the call center sort out the issue.

Many FinTech mobile app issuers would say, “well, we have a modern risk scoring and monitoring system that collects many security signals from the app like location, behavioral data of users, and many more to estimate the risk of fraud.” Indeed, many Apps use risk-based security. But the main problem of risk scoring systems is they suffer from a lack of factual information about ongoing attacks. In other words, they miss the “source of truth” of what attack vectors look like.” Risk scoring logic usually is designed based on the best knowledge of the given security team about potential attack vectors. At the same time, the creativity of cybercriminals has a much higher speed, so attack methods are changing much quicker than risk scoring logic.

On top of that, a significant portion of attacks addresses the weakest link in the security chain — humans. So it is hardly identifiable by automatic signals. So the best we can currently do is detect the scam campaign from user reports and quickly find the appropriate method to prevent it from becoming a large-scale attack.

Collective Cyber Defense

It is known that there is nothing more efficient against a common enemy than an alliance. In our App world, the governors of cities have much more chances of survival in the aggressive middle-age world if they join their efforts, i.e., form an alliance that implements the principles of a Collective Defense. The most crucial element in that collective defense is rapid information sharing about the enemy and how it is attacking.

In our real digital world, the quick distribution of detailed information about exploits is crucial (like malware binaries, scums, and zero-day vulnerabilities). In many cases, ML-driven mechanisms can automatically prevent many problems if they are trained by the “source of truth” information about the attack. Thus every reported attack can make the whole group more resilient.

It brings us to the question of which users would prefer to delegate the surveillance role and to who would they be happy to share the information about attacks? Is it governments, operating system vendors, device vendors, corporations like banks, small app issuers, professional communities, dedicated NGOs, etc.?

Summary

Let’s wrap up the takeaways of App security we touched on during this philosophizing exercise.

Safety first, not security. Safety is about making the “right” balance between freedom, security, and comfort. This topic can’t be fully delegated to marketing-minded or tech-minded middle management since it is a strategic brand development question.
App Security measures need to be visualized and explained for end-users to be perceived as safety elements and not just a security nuisance.
Engaging users in the Security Journey through educational content, gamification, and feedback (report issue), is an efficient way to gain loyalty and prevent many security-related problems.
Attack claims are a vital feature for building countermeasures. It should be simple and intuitive.
Consider joining the AppSec community to benefit and contribute.

Author: Sergiy Ykymchuk

Co-founder of Talsec (.)

Mobile Apps Security Company

P.S.

Startups generally aim to change the world with their Apps and “make an impact” and influence people. The depth of our responsibility determines our actual influence. We are designing and manifesting our future influence by setting the boundaries of responsibility that we take.

5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s

John is the creator of a popular app BetterVision, for the blind and visually impaired. There is a good reason for the over 100K installations John’s creation has achieved. BetterVision can turn a phone’s camera into a powerful assistant easing a daily routine for disabled users worldwide. With success, however, soon came difficulties. John’s app suffered a cloning attack, and his In-App purchases got stolen.

At , we specialize in in-app security. We build RASP (Runtime Application Self-Protection) tools to protect apps against hacking — which, unfortunately, is growing in popularity. In this article, we interviewed Business Owner and senior Android developer John Smith whose app BetterVision got hacked. The interviewee has requested anonymity. We deliberately changed his name to “John Smith” and his brand name to “BetterVision”.

Do not release without protections in-place
Perform sensitive operations server-side whenever possible
Prevent reverse-engineering
Monitor user groups and APK mirroring sites to detect malicious clones
Warn users against using fake clones

My five tips are:

Using time-saving drop-in solutions like Talsec and not messing up security basics pays off. Otherwise, you have to accept losing some percentage of purchases due to hacked clones and take it into account — also financially. I remember an Android security survey that suggested that most apps lack even the most basic obfuscation.

It can sound silly, but the thing is that when you have to choose between delivering functionality and improving security, you should select the first and reckon with the risk. I have heard of companies focused on security so much that they could not develop the functionality needed for business.

To wrap it, what would you recommend to other developers? What five tips would you give to yourself looking back?

My Firebase catches something already, but I would appreciate Talsec’s monitoring as it is more advanced. It would be great to see the collected statistics.

What do you think about Talsec’s Security Monitoring service and threat visualization dashboard?

I had the warning screen displayed in hacked clones that exited the application only to realize users of clones began complaining and giving bad reviews. So, I later reverted it as it wasn’t worth it. However, I believe it’s good to have hidden logging, which can’t be disabled by a hacker easily. That’s what I finally ended up with. The hacked clones still report to my monitoring service as hackers apparently don’t care about that.

Did you apply any mechanism to warn users against using a hacked clone? Did you forcibly terminate the app?

Yes, it would be necessary to add a lot of arbitrary fake reflection calls so that the important ones will be hidden between them. These could also serve as a kind of honey-pot. I would appreciate a plugin that would perform this transformation automatically.

Agreed. The reflection is easily spotted in the code. Do you have any solution in mind?

Obfuscation is of great importance in hiding inner business logic. You can combine obfuscation with the reflection API to hide system calls. Hackers often head for them as these are usually placed close to sensitive operations. With reflection, you turn these calls into strings that are consequently obfuscated. Hackers will not be able to locate them using static analysis. Unfortunately, hackers are aware of this technique, and if you use it only on a few occasions, they can easily guess its meaning.

Do you have some specific protection tips?

It’s a cat-and-mouse game. Hackers always find your protections, so you are forced to evolve your knowledge and update your app. For example, I spread those checks into many places in the app, so they are more likely to forget something untouched.

As I said, the first choice for me was the PiracyChecker as Talsec was not a thing back then. I have learned a lot from experienced Android developers on advanced forums. Things like decentralizing security checks, hiding secrets in a native code, rooting and tampering protection.

What countermeasures did you apply? Where did you learn about possible techniques? Did you get stuck?

The common issue of established RASP libraries is that bypass for the majority of them is already publicly available. I feel the Talsec has a slight edge in this manner, at least for now.

I didn’t have the necessary knowledge at that time. I have added the popular PiracyChecker library (note: Talsec didn’t exist at that time), but hackers still could circumvent it. As I have learned more about protecting Android apps, I have added many protections myself later. Alas, the iOS version of my app still needs to enhance the protection, which falls behind the Android one.

Did you consider products like Talsec RASP or freeRASP?

RASP made by does come as a complete toolbox of security enhancements. Reverse engineering protection can protect your app with many invisible traps that give hackers a hard time. Malware detection, tapjacking prevention, E2E Encryption, mutual TLS setup, online client integrity checks (Attestation), On-line Risk Scoring, API protection, Strong Customer Authentication, embeddable security dashboard, and much more are covered in our enterprise security. for a private meeting!

It’s common to use native code for hiding valuable parts of an application as its decompilation of binary is a much more demanding task. I hide logging and security checks in various places. There’s a high probability a hacker will miss some parts, and you will be able to track malicious activities. A hacker only aims for the functional clone and doesn’t care about making it top-notch in the end.

In theory, the best protection should be layered and spread all around the app. What layers and tricks do you recommend?

Not necessarily; you can change a Proguard’s dictionary. The unfortunate side effect is that Google Play’s review process becomes more time-consuming. The regular one-day review process takes up to 10 days if you change the dictionary, as Google Play scanning is more thorough in such cases. If I need to push hotfixes quickly, I stick with the same dictionary as my previous build.

Is obfuscation the same for all builds?

Finally, strip out any debugging lines. Popular library has one crucial weakness regarding that. Although your Timber tree won’t log in the production build, your debugging code is still in place. A hacker can just turn debugging on for the app, and the logging will be visible again. Creating your logging scheme is also beneficial. Debug and verbose logs are dropped in production, informational logs are written into the local log, and finally, warnings and more severe events are logged to Firebase.

I highly recommend the string obfuscator . It only takes a single annotation @Obfuscate above the class, and you are good to go.

I remember having issues with code obfuscation. In some cases, older versions of Proguard (code obfuscator) obfuscated method parameters but created annotations with original names above them. I haven’t noticed such issues with R8, which ships with Android Studio nowadays.

Could you share any technical insights?

“A hacker only aims for the functional clone and doesn’t care about making it top-notch in the end.”

The Mitigation: How to build a wall

For example, there was a guy from India who even added his own payment system and he charged half the price of the original. He even went to great lengths in protection and used a DexGuard to protect it. We got a hold of his WhatsApp and phone number. We unsuccessfully tried to sue him, but he was out of our legal reach.

Although they don’t usually want to talk to us, there was a white-hat guy who appreciated our work and gave us a few hints as to what we might do better. Apart from that, they only care about adding their own ads and other nasty things.

Did you contact hackers directly? What was their motivation?

Hackers are still active and create new clones. They can often release a clone just a few days after our updates. Unfortunately, we don’t have any way to disable those cracked versions.

Do users still use the hacked version, or did you disable it somehow?

There were also videos on YouTube that contained links to clones. Reporting to Google (Content ID claim) worked well. Google took down the incriminated video within a day. Reporting links to Google Drive with hacked versions was also successful.

Yes. The community was very supportive. Community members send us links to hacked versions. Fans are also sending in recordings of communications with the attackers. We’re tracking it, and we have a whole database full of it.

It seems you like to accommodate the community.

A common tool used for hacking is the app called Lucky Patcher. So I added a detection which caused the app to stop if the user had it installed. It turned out that many people have Lucky Patcher installed, and after an avalanche of complaints by angry users, I reverted this detection.

The first versions contained only basic functionality. In retrospect, I have to say that launching the app without protection was a big mistake. It was only in response to the hacking that the first protection was added, which was a signature check. This stopped cloners and amateurs from using automated repackaging tools for a while. A little later, I also added the string obfuscation.

Could you tell us more about your fight with hackers?

If you find out that you have four times more users on Google Play than on the AppStore and your profits are four times less, something is fishy. Sideloading of cracked apps, simplicity of rooting, and APK modifications are significant drawbacks of the Android platform. iOS protects both users and developers better against such malicious activities. A profitability perspective is much better as users are better used to paying for apps.

Although we haven’t done the math, the financial losses are significant. Because hackers may have disabled the in-app tracking, the actual number of installed cracked clones cannot be determined. Although Android has four times as many users as iOS, profits are four times smaller because of cracked versions being still available.

It was a terrible feeling considering I used to develop it in my spare time for almost no profit initially. The application fee was only enough to cover the costs. Later, we invested a fair amount of money for performant Amazon servers used for machine learning.

What were the consequences and the financial impacts of this hacking?

I think that some users were resourceful and hacked the app themselves by removing Google Play Billing Library in-app purchases. As long as they were doing it for their own use, I didn’t even mind.

Users themselves reported finding illegal copies, which started popping up on Telegram and WhatsApp groups. Anyone could grab those APKs and install them. Paid users were upset.

When was the first time you noticed something was not alright?

“Although Android has four times as many users as iOS, profits are four times smaller because of cracked versions being still available.”

The Hack: BetterVision got caught naked

We immediately had positive feedback from users after the release. We were amazed that users even switched from a competing app to us. We made it into newspapers and TV in the homeland thanks to great help from local organizations. We recruited ambassadors from the ranks of users in foreign regions.

Getting early-stage traction was surprisingly easy thanks to the strong disabled communities in which our app quickly gained attention. Users recommended the app to each other, especially coaches for disabled people, who took the initiative and spread the word among clients.

How did you acquire your first users?

Oftentimes, in reality, it is not possible to host valuable assets from the cloud safely, and you must put them into the app.

Finally, ease of use and accessibility required offline operation because users don’t always and everywhere have a good network connection. One of the cornerstones and our know-how are computer vision models using machine learning. These have to be a static part of the application since users might have issues if they were hosted on the cloud. It is one of the misconceptions many developers have. They believe they can secure everything by putting it server-side. Oftentimes, in reality, it is not possible to host valuable assets from the cloud safely, and you must put them into the app.

The idea wasn’t novel as there already were similar solutions by renowned companies. We kicked off with only basic features at the beginning focusing on accessibility. Not only we thoroughly tested eyes-free usage in the app but also accompanying web and brochures. I regularly tested it myself, covering my eyes with my hand.

The idea came from a disabled friend. Together we realized this is a widespread issue which many disabled people face. Similar solutions already existed but were insufficient (school projects) or with poor accessibility optimizations.

BetterVision is a unique app in its category, right? What inspired you to make it? Could you tell us more about its early development?

Oftentimes, in reality, it is not possible to host valuable assets from the cloud safely, and you must put them into the app.

How did you acquire your first users?

The Hack: BetterVision got caught naked

“Although Android has four times as many users as iOS, profits are four times smaller because of cracked versions being still available.”

When was the first time you noticed something was not alright?

Users themselves reported finding illegal copies, which started popping up on Telegram and WhatsApp groups. Anyone could grab those APKs and install them. Paid users were upset.

I think that some users were resourceful and hacked the app themselves by removing Google Play Billing Library in-app purchases. As long as they were doing it for their own use, I didn’t even mind.

What were the consequences and the financial impacts of this hacking?

Could you tell us more about your fight with hackers?

It seems you like to accommodate the community.

Do users still use the hacked version, or did you disable it somehow?

Hackers are still active and create new clones. They can often release a clone just a few days after our updates. Unfortunately, we don’t have any way to disable those cracked versions.

Did you contact hackers directly? What was their motivation?

The Mitigation: How to build a wall

“A hacker only aims for the functional clone and doesn’t care about making it top-notch in the end.”

Could you share any technical insights?

I highly recommend the string obfuscator . It only takes a single annotation @Obfuscate above the class, and you are good to go.

Is obfuscation the same for all builds?

In theory, the best protection should be layered and spread all around the app. What layers and tricks do you recommend?

Did you consider products like Talsec RASP or freeRASP?

The common issue of established RASP libraries is that bypass for the majority of them is already publicly available. I feel the Talsec has a slight edge in this manner, at least for now.

What countermeasures did you apply? Where did you learn about possible techniques? Did you get stuck?

Do you have some specific protection tips?

Did you apply any mechanism to warn users against using a hacked clone? Did you forcibly terminate the app?

What do you think about Talsec’s Security Monitoring service and threat visualization dashboard?

My Firebase catches something already, but I would appreciate Talsec’s monitoring as it is more advanced. It would be great to see the collected statistics.

To wrap it, what would you recommend to other developers? What five tips would you give to yourself looking back?

My five tips are:

Do not release without protections in-place
Perform sensitive operations server-side whenever possible
Prevent reverse-engineering
Monitor user groups and APK mirroring sites to detect malicious clones
Warn users against using fake clones

written by Tomáš Soukal, Mobile Dev and Security Consultant at Talsec

Missing Hero of Flutter World

Flutter is a beautiful framework for building pretty and natively compiled mobile, web, and desktop applications. Thanks to its simplicity and developer-friendly way of building applications, it’s gaining popularity around the world. However, with great power comes great responsibility. As unlikely as it seems, Flutter applications face the same issues as their native siblings — security attacks.

Should I care about security?

The answer is yes, you should. Security engineering should always be your first step. The moment you take your development more seriously, security becomes your top concern. Whether you develop a simple attendance app or a demanding health, FinTech, or automotive application, you shouldn’t make any concessions in security, especially if you deal with personal data and/or finance transactions.

But I have heard Flutter apps aren’t susceptible to attacks or what?

You could argue that reverse engineering of Flutter apps is not being done very often, and even if it is done, it’s complicated to get something. Your production build is compiled without debugging symbols, and compiled apps are usually harder to crack. Well, that’s true, for now. But first of all, this approach is nothing short of a hide and seek game — you will be caught, and time is playing against you. And second of all, complicated does not mean impossible.

Based on our experience, the following attacks are already possible:

App repackaging and cloning
Re-publishing of tampered apps
Running the App in compromised OS environments (rooted/jailbroken OS, hooking app during runtime, emulators)
Overlay and Cloak&Dagger attacks
Misuse of Accessibility Services
Stealing of hard-coded secrets

A common sign of intrusion on mobile devices is the presence of a root user. A root can do pretty much anything in the system. If we let our Flutter application work normally on a rooted device, we expose it to a possible attack/security breach just because the device’s state is compromised.

Applications need shields and swords to defend themselves — they need RASP (Runtime Application Self-Protection).

In Talsec, we noticed that RASP solutions at that time were not in good condition. We decided to do it our own way. And that’s how freeRASP was born — created to protect Flutter applications conveniently.

How does freeRASP for Flutter differ from its native siblings?

Cross-platform development frameworks, in general, suffer when platform-specific problems need to be solved. Sacrificing security to be able to do cross-platform development is a no-go. We already had experience with both native Android and iOS platform protection. The only question was how to do it for Flutter.

Luckily, in Flutter, you can expose native APIs. If you want to expose native API or implement a platform-specific library, you have to do the implementation for each platform separately. This means you have to understand the specifics of each platform — from low-level coding to system architecture specifics. You have to write a glue code between the native and Flutter side and some API to reuse implementation in other projects. Finally, you have to do tons of testing and verification. In a nutshell — long, cumbersome and exhausting process.

We decided to overcome this gap for you — we created freeRASP for Flutter. Our team did all the work you would typically need to do and shipped it to a pub.dev.

What was the result?

This had many positive effects:

made Flutter safer for everyone
contributing to the Flutter community by adding a plugin to pub.dev, which led to…
getting closer with the Flutter community so that we can listen to any opinion and making our product even better

We wanted to make Flutter safer because we saw its potential. The fast world needs fast development — that’s what Flutter does perfectly well. We also want to help Flutter grow so that more people can appreciate its advantages and raise awareness about security between Flutter developers. freeRASP is a real game-changer. The developer gets a nice and tidy plugin, and the user receives a secure application.

Okay, but how do I use it in my app?

Implementation of freeRASP for Flutter is pretty simple. After initial importing, you just set up some initial configuration and callbacks. And that’s it!

From now on, freeRASP has your back covered and makes reports for you, so you have an overview of your application security. Make sure you accept an email confirmation request from the system to be able to receive these reports.

Example of security report

This example presents a mid-sized FinTech app:

You can find freeRASP for Flutter plugin on pub.dev. There is also a step-by-step guide to help you with implementation. If you like our plugin, don’t forget to give it a like.

Summary

Security is essential, even though we tend to forget about it when it comes to cross-platform applications. freeRASP provides a plugin for Flutter that solves this problem, and it’s easy to use. So what are you waiting for?

Useful links

If you want to know more about freeRASP, don’t forget to bookmark these links:

Medium — article about freeRASP’s features
GitHub repository — main repository containing all necessary information
pub.dev — Flutter plugin
About freeRASP in general: https://medium.com/geekculture/freerasp-in-app-protection-sdk-and-app-security-monitoring-service-de12d8e49400

written by Jaroslav, Flutter developer at Talsec

OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter

Welcome back to our deep dive into the OWASP Mobile Top 10, explicitly tailored for Flutter developers. In our last article, we tackled M3: Insecure Authentication and Authorization, exploring how lapses in identity and permissions checks can lead to serious breaches.

Today, we shift gears to M4: Insufficient Input/Output Validation, arguably one of the most pervasive and deceptively simple risks in any application. Last year, a popular finance app accidentally let users paste SQL payloads into its search bar, wiping out months of user data overnight. That’s the exact kind of risk M4 warns us about.

Even the most bulletproof authentication logic can be undone instantly if your app blindly trusts data crossing its boundaries. In a typical Flutter project, you’re juggling form inputs, HTTP APIs, deep links, platform channels, and WebViews, each a potential entry point for malformed or malicious data.

Over the following sections, we’ll define what OWASP means by “Insufficient Input/Output Validation,” and arm you with practical Dart and Flutter examples to lock down every trust boundary. Let’s dive in!

Understanding M4: Insufficient Input/Output Validation

Picture your Flutter app as a fortress. In our M3 discussion, we built high walls around identity and sessions, but what about the gates where data flows in and out? M4 is all about guarding those gates.

When OWASP talks about M4: Insufficient Input/Output Validation, they mean two complementary practices:

Input Validation: Checking every piece of incoming data (user input, API responses, deep links, messages from native code) to ensure it matches the exact shape and constraints you expect.
Output Sanitization: Cleaning or encoding data before it leaves your app (when you render it in the UI, send it back to a server, or hand it over to native code), so no hidden threats slip through.

Think of input validation as inspecting every carriage entering the fortress, no weapons, no stowaways. Output sanitization is like searching messengers before they depart, ensuring they carry no secret orders for sabotage.

Common trust boundaries in a Flutter app include:

Forms and TextFields where users type data
HTTP requests and responses from your backend
Deep links or app links that jump into specific screens
Platform channels bridging Dart and native code
WebViews or HTML renderers showing rich content

If any of these gates is left unchecked, attackers can inject SQL commands, sneak in scripts for XSS, manipulate file paths, or corrupt data. OWASP 2023 Mobile Top 10 ranks these flaws as COMMON with SEVERE impact, meaning they happen frequently and can cause real damage.

Our goal in the following sections is to ensure that both checkpoints, validation, and sanitization are rock-solid so that malicious data can neither reach the heart of your app nor escape it.

How Validation Flaws Manifest in a Flutter or Dart App

This section explores four common patterns of M4 failures, explains why they’re dangerous, and provides clear examples of how to fix them. While many examples focus on the Flutter frontend, the principles apply equally to Dart-based backends. Once you understand the underlying issues and solutions, use them wherever needed in your Flutter and Dart codebases.

1. Insufficient Input Validation

Every time your app accepts free‑form data, from a search box to a deep link, it’s like inspecting every carriage at your fortress gate: "Every carriage must be searched for hidden weapons". Attackers can turn that innocent-looking bundle into a weapon if you let any unchecked item slip through.

A. SQL Injection in Local Databases

Imagine a simple search field wired straight into your SQLite database:

// BAD: trusts user input directly in SQL
Future<List<Map<String, dynamic>>> findUsers(String name) async {
  return await db.rawQuery(
    "SELECT * FROM users WHERE name = '$name'"
  );
}

An attacker typing:

Robert'); DROP TABLE users;--q

won’t see search results; they’ll crash your app and delete your users table. Local stores often hold sensitive profiles, tokens, or settings so that a single flawed query can expose or wipe everything.

A safer approach is to parameterize the query and allow‑list any dynamic parts:

const allowedCols = ['name', 'email'];
if (!allowedCols.contains(sortColumn)) {
  throw Exception('Invalid sort column');
}

final rows = await db.rawQuery(
  'SELECT * FROM users WHERE name = ? ORDER BY $sortColumn DESC',
  [name]
);

Here, the ? placeholder keeps the user’s input separate from SQL code, and we verify sortColumn against a known list instead of concatenating it blindly.

B. Command Injection via Platform Channels

When Dart invokes native scripts, the stakes are just as high. Suppose you do:

// BAD: hands raw user input to native exec
await platform.invokeMethod('runScript', {'path': userInputPath});

If the native side executes:

Runtime.getRuntime().exec("sh " + path);

then an input like:

/tmp/myscript.sh; rm -rf /

could run arbitrary shell commands. Treat the Dart–native boundary like another untrusted gate: check the path’s pattern before you send it:

final path = userInputPath;
if (!RegExp(r'^[\w\/\-]+\.sh\$').hasMatch(path)) {
  throw Exception('Invalid script path');
}
await platform.invokeMethod('runScript', {'path': path});

And remember: always repeat similar validation in your native code too—never let Dart’s checks be the only line of defense.

C. Deep‑Link Parameter Poisoning

Deep links let you jump straight to a payment screen or a product detail page, but they also open a backdoor if you trust their parameters blindly:

// BAD: assumes valid numbers and names
final amount = double.parse(uri.queryParameters['amount']!);
processPayment(amount, uri.queryParameters['to']);

An attacker could send:

myapp://pay?amount=0;DELETE%20FROM%20payments&to=Evil

or a non‑numeric string, crashing your parser or injecting malicious data.A safer flow is to parse, validate, and then sanitize:

final amtParam = uri.queryParameters['amount'] ?? '';
final amount = double.tryParse(amtParam);
if (amount == null || amount <= 0 || amount > 1e6) {
  return showError('Invalid payment amount');
}

final to = uri.queryParameters['to'] ?? '';
if (!RegExp(r'^[A-Za-z0-9_ ]{1,32}\$').hasMatch(to)) {
  return showError('Invalid recipient');
}

processPayment(amount, to);

You can even write integration tests or run a MITM proxy (like Charles) to feed malformed links and ensure your app rejects them cleanly.

D. Syntactic vs. Semantic Validation

It’s not enough to check format (“can this parse?”); you must also check the meaning (“does it make sense?”). For example, validating date ranges:

DateTime parseDate(String s) {
  try {
    return DateTime.parse(s);
  } catch (_) {
    throw FormatException('Use YYYY-MM-DD format');
  }
}

void validateDateRange(String start, String end) {
  final s = parseDate(start);
  final e = parseDate(end);
  if (s.isAfter(e)) {
    throw Exception('Start date must come before end date');
  }
}

Here, parsing ensures you won’t crash on invalid text; comparing dates enforces your business rule.

E. Unicode Normalization & Safe Character Sets

Free‑form text can include emojis, accents, and look‑alike characters. Normalize it so that “é” is always one code point, then allow only expected character classes:

import 'package:characters/characters.dart';

String normalize(String input) => input.characters.toString();

bool isValidComment(String input) {
  final text = normalize(input);
  final safe = RegExp(r"^[\p{L}\p{N}\s\.,!?'\-]+\$", unicode: true);
  return safe.hasMatch(text);
}

This prevents hidden control codes or bypasses that sneak past naive filters.

F. Avoiding Regex Denial‑of‑Service

Complex regex patterns with nested quantifiers can lock up your UI if an attacker feeds crafted input. Always anchor and simplify:

// BAD: catastrophic backtracking
final badRegex = RegExp(r"^(a+)+\$");

// GOOD: explicit length, no nested quantifiers
final safeRegex = RegExp(r"^[A-Za-z0-9]{1,32}\$");

Test any new regex against long, repetitive strings in a small Dart script to confirm it completes in milliseconds.

G. Client‑Side File Upload Validation

If your app lets users pick images or documents, don’t send them straight to the server:

Extension allow‑list: .jpg, .png, .pdf
Size limit: e.g., 5 MB
Content sniffing: verify it really is an image or PDF
Rename to a safe, server‑controlled filename

import 'dart:io';
import 'package:path/path.dart' as p;
import 'package:image/image.dart' as img;

Future<File> prepareUpload(File file) async {
  final ext = p.extension(file.path).toLowerCase();
  if (!['.jpg', '.png'].contains(ext)) {
    throw Exception('Only JPG/PNG images allowed');
  }
  if (await file.length() > 5 * 1024 * 1024) {
    throw Exception('Image must be under 5 MB');
  }
  final bytes = await file.readAsBytes();
  if (img.decodeImage(bytes) == null) {
    throw Exception('File is not a valid image');
  }
  final safeName = '${DateTime.now().millisecondsSinceEpoch}$ext';
  return file.copy(p.join(p.dirname(file.path), safeName));
}

H. Canonicalize Before You Validate

Attackers often use percent‑encoding or Unicode variants to slip past allow‑lists. Always decode into one canonical form, then apply your checks:

// Suppose you get a percent‑encoded name
final rawName = uri.queryParameters['user'] ?? '';
// 1. Decode percent‑encoding
final decodedName = Uri.decodeComponent(rawName);
// 2. Normalize Unicode
final normalized = decodedName.characters.toString();

// 3. Apply your allow‑list
final namePattern = RegExp(r'^[A-Za-z0-9_ ]{1,32}\$');
if (!namePattern.hasMatch(normalized)) {
  return showError('Invalid user name');
}

%2e%2e vs ..: Without decoding, RegExp(r'^[\w\-]+\$') might miss a path‑traversal attack.
Mixed‑width Unicode characters can hide dangerous sequences if you validate on raw code units.

Making canonicalization the first step of every validation routine ensures your regex and length checks see the actual data, not a cleverly encoded variant.

I. NoSQL / GraphQL Injection

While SQL injection is well‑known, modern apps often talk to NoSQL stores or GraphQL endpoints. Unvalidated inputs in query objects or GraphQL queries can let attackers manipulate filters or execute unauthorized queries.

// BAD: builds a Firestore query from untrusted map
final filter = jsonDecode(userJson);
final snapshot = await FirebaseFirestore.instance
    .collection('orders')
    .where(filter['field'], isEqualTo: filter['value'])
    .get();

To fix it, allow‑list field names and validate types before constructing queries:

const allowedFields = ['status', 'customerId'];
final field = filter['field'];
if (!allowedFields.contains(field)) {
  throw Exception('Invalid query field');
}
final value = filter['value'];
// ensure the right type, e.g. String or int
if (value is! String && value is! int) {
  throw Exception('Invalid query value type');
}
final snapshot = await FirebaseFirestore.instance
    .collection('orders')
    .where(field, isEqualTo: value)
    .get();

Beyond filter injections, be cautious when dynamically building Firestore document paths based on user input. If you let users control path segments like userId, projectName, or orderId without validation, they might access or overwrite data that doesn't belong to them, especially if your Firestore rules are too broad.

// BAD: user controls Firestore path
final doc = FirebaseFirestore.instance.doc('projects/$inputProjectId');

An attacker could craft inputProjectId as ../../admins/root, possibly navigating out of bounds or triggering unexpected rules behavior. The fix is to validate all Firestore path components explicitly.

final id = inputProjectId;
if (!RegExp(r'^[a-zA-Z0-9_-]{1,28}$').hasMatch(id)) {
  throw Exception('Invalid project ID');
}

Avoid path control characters like / or . unless absolutely necessary. Firestore treats document and collection paths as part of its access control model, so a poorly validated string can become a security bug.

J. JSON Schema Validation

While you can create your own JSON validator, using a package might work for you too. For complex payloads, embed a JSON Schema validator to enforce structure:

import 'package:json_schema/json_schema.dart';

final schema = await JsonSchema.createSchema({
  'type': 'object',
  'properties': {
    'userId': {'type': 'string'},
    'age': {'type': 'integer', 'minimum': 0},
  },
  'required': ['userId', 'age'],
});

void handlePayload(Map<String, dynamic> data) {
  final errors = schema.validateWithErrors(data);
  if (errors.isNotEmpty) {
    throw Exception('Payload validation failed: \$errors');
  }
  // proceed safely
}

All in all, there is one thing I want to emphasis again.Client‑side vs. Server‑side ValidationAll these checks in your Flutter app are essential for immediate feedback, but they can be bypassed by a determined attacker (e.g., by intercepting traffic with a proxy).Always replicate critical validation rules on the server before processing or storing any data. Use client‑side validation for a smooth UX, but enforce the same strict type, format, length, and semantic checks in your backend to guarantee security. Here is the referece to read more.

2. Insufficient Output Sanitization

Even if input is clean, output can become dangerous when sent to contexts that interpret it, particularly HTML, CSV, or logging systems.

A. XSS in WebView

Loading unfiltered HTML is a direct path to script execution:

// BAD: runs all `<script>` tags in userHtml
_webViewController.loadHtmlString(userHtml);

Instead:

Sanitize HTML before loading:

// Use a sanitization library like html_unescape or sanitize_html
// import 'package:html/parser.dart' as html;

final cleanHtml = sanitizeHtml(userHtml);

Disable JavaScript if possible:

_webViewController
  .setJavaScriptMode(JavaScriptMode.disabled)
  .loadHtmlString(cleanHtml);

Whitelist tags and attributes if JS is needed.

B. CSV Injection

If you export user data into a CSV, spreadsheet apps may treat cells starting with = or - as formulas:

name, comment
Alice,=cmd|' /C calc'!A0

To prevent this, prefix dangerous cells with a single quote:

String escapeCsv(String field) {
  if (field.startsWith('=') || field.startsWith('+') ||
      field.startsWith('-') || field.startsWith('@')) {
    return "'\$field";
  }
  return field;
}

C. Unsafe URL Generation

When building query URLs:

// BAD: manual concatenation
final url = 'https://api.example.com/search?query=' + userInput;

Always use Dart’s Uri helpers:

final uri = Uri.https(
  'api.example.com',
  '/search',
  {'query': userInput},    // automatically percent‑encoded
);

With unsafe outputs now neutralized, let’s turn next to how context shapes what “safe” really means.

3. Lack of Contextual Validation

A string that’s safe in one scenario might be fatal in another. Context is king.

A. File Path Traversal

// BAD: naive path construction
final path = "\${appDir.path}/\$fileName";
File(path).readAsString();

If fileName is ../../etc/passwd, you could read system files (on rooted devices).A safe pattern:

import 'package:path/path.dart' as p;

final safeName = p.basename(fileName);
if (!safeName.endsWith('.txt')) {
  throw Exception('Only .txt files allowed');
}
final safePath = p.join(appDir.path, safeName);
File(safePath).readAsString();

B. Dynamic UI Generation

If you let the server send widget definitions as JSON, a malformed request could crash your app or introduce logic flaws. Always validate the JSON schema before mapping it to widget code. Check "JSON Schema Validation" section to learn more how you can do that.

C. Accessibility & Localization

Don’t forget to validate user inputs for different locales (dates, numbers) and ensure error messages and validation cues are announced via Flutter’s accessibility widgets (e.g., `Semantics`, `SnackBar`) so all users get clear, localized feedback.Here is an example for inspiration.

import 'package:flutter/material.dart';
import 'package:intl/intl.dart';

class LocalizedForm extends StatefulWidget {
  @override
  _LocalizedFormState createState() => _LocalizedFormState();
}

class _LocalizedFormState extends State<LocalizedForm> {
  final _formKey = GlobalKey<FormState>();
  DateTime? _pickedDate;

  @override
  Widget build(BuildContext context) {
    // Choose a locale, e.g. Norwegian
    final dateFormatter = DateFormat.yMMMMd(
      Localizations.localeOf(context).toString(),
    );

    return Form(
      key: _formKey,
      child: Column(
        children: [
          // Date input with locale‑specific parsing
          TextFormField(
            decoration: InputDecoration(
              labelText: 'Dato (${dateFormatter.locale})',
            ),
            keyboardType: TextInputType.datetime,
            validator: (value) {
              if (value == null || value.isEmpty) {
                return 'Please add a date'; // localized error
              }
              try {
                _pickedDate = dateFormatter.parseStrict(value);
              } catch (_) {
                return 'Bad datoformat'; // localized error
              }
              print('_pickedDate $_pickedDate');
              return null;
            },
          ),

          SizedBox(height: 20),

          ElevatedButton(
            onPressed: () {
              if (_formKey.currentState!.validate()) {
                // Announce success via accessibility
                ScaffoldMessenger.of(context).showSnackBar(
                  SnackBar(
                    content: Semantics(
                      label: 'Send',
                      child: Text('Send'),
                      liveRegion: true,
                    ),
                  ),
                );
              }
            },
            child: Text('Send'),
          ),
        ],
      ),
    );
  }
}

4. Failure to Validate Data Integrity

Even well‑formed and properly encoded data can be altered once stored or cached. You must verify it hasn’t been tampered with.

A. SharedPreferences Flag Tampering

import 'package:crypto/crypto.dart';
import 'dart:convert';

String computeHmac(String value) {
  final key = utf8.encode('APP_SECRET_KEY');
  return Hmac(sha256, key).convert(utf8.encode(value)).toString();
}

// Saving:
prefs.setString('isAdmin', 'false');
prefs.setString('isAdmin_hmac', computeHmac('false'));

// Reading:
final val = prefs.getString('isAdmin')!;
final mac = prefs.getString('isAdmin_hmac')!;
if (computeHmac(val) != mac) {
  // graceful fallback instead of crash
  print('⚠️ Data integrity check failed, reverting to secure default');
  return false;
}

B. Verifying Remote Config or Assets

If you download a JSON config or an asset at runtime (for feature toggles, theming, etc.), use a signature or checksum provided by your server. After download:

Compute the SHA‑256 of the payload.
Compare it against the checksum you received over a secure channel.

If they don’t match, reject the payload and fall back to defaults.Now that we’ve secured every gate for inputs, outputs, and stored data, it’s time to adapt these defenses to platform‑specific rules.

Platform‑Specific Nuances

Even though Flutter gives us a single codebase, Android and iOS (and Windows, Web, macOS, and Linux) enforce different rules under the hood. Your validation strategy must account for those differences.

1. File System & Sandbox

iOS: Apps live in a strict sandbox. Even if you allow ../ in a filename, iOS will block access outside your container.
Android: Modern Android uses scoped storage, but if you request legacy or external‑storage permissions, a path‑traversal attack can hit shared directories.

To mitigate:

Always use path_provider to get the correct app directory.
Normalize and strip directory parts with path.basename().
Target-scoped storage on Android and avoid broad storage permissions unless absolutely necessary.

2. Intents & URL Schemes

Flutter plugins like uni_links or receive_sharing_intent let you handle incoming data:

// Example using uni_links
void _handleIncomingLink(Uri uri) {
  // OS guarantees correct scheme, but query params remain untrusted
  final action = uri.queryParameters['action'] ?? '';
  if (!['view', 'edit', 'share'].contains(action)) {
    return _showError('Unknown action');
  }
  // Process only after validating every parameter
}

Tip: On Android, set android:autoVerify="true" in your AndroidManifest.xml to reduce phishing via fake intents, but Dart-side validation remains essential.

3. WebView Differences

Android WebView (Chromium-based) lets you disable file access and set Safe Browsing flags, but enabling JavaScript will run any script in loaded HTML.
iOS WKWebView respects Content Security Policies if you inject them, but will execute JavaScript if enabled.

Secure WebView setup for both platforms:

_webViewController
  .setJavaScriptMode(JavaScriptMode.disabled) // Turn off JS if possible
  .setBackgroundColor(const Color(0x00000000))
  .loadRequest(Uri.parse('https://trusted.domain'));

If you must enable JavaScript (e.g., for interactive widgets):

Sanitize the HTML.
Restrict JS bridges (JavaScriptChannel on Android, message handlers on iOS) to known methods.
Clear cache and data on logout to remove leftover scripts or cookies.

4. Native Code & MethodChannels

Platform channels let Dart talk to Kotlin/Java or Swift/Objective-C, another trust boundary that needs validation on both sides.

// Dart side (GOOD)
final result = await platform.invokeMethod('getConfig', {'key': configKey});
if (result is! String || result.length > 256) {
  throw Exception('Invalid config from native');
}

On the Kotlin side:

// Android native (Kotlin)
MethodChannel(flutterEngine.dartExecutor.binaryMessenger, "app/config")
  .setMethodCallHandler { call, res ->
    val key = call.argument<String>("key") ?: run {
      res.error("BAD_KEY", "Missing config key", null)
      return@setMethodCallHandler
    }
    if (key.isEmpty() || key.length > 64) {
      res.error("BAD_KEY", "Invalid config key", null)
      return@setMethodCallHandler
    }
    res.success(loadConfig(key))
  }

Use Pigeon to auto‑generate type-safe stubs and eliminate a whole class of runtime type errors.

By understanding sandbox models, intent handling, WebView quirks, and native bridges, you can tailor your validation strategy to close every gap.

Completing OWASP’s Prevention Checklist

OWASP’s “How Do I Prevent M4?” is built on these six pillars. So far, we’ve examined Input Validation, Output Sanitization, Context‑Specific Validation, and Data Integrity. Two more critical pieces remain: Secure Coding Practices and Continuous Security Testing & Maintenance.

1. Secure Coding Practices

Unsafe APIs can undo even rock-solid validation. Elevate your code quality by relying on high‑level, type‑safe libraries and avoiding string concatenation for any data that reaches a lower layer.

A. Parameterized Queries & ORMs

Rather than hand‑crafting SQL strings, use an ORM like Drift (formerly Moor). Drift auto‑parameterizes queries and provides Dart types with compile‑time checks:

// Define your Users table
class Users extends Table {
  IntColumn get id     => integer().autoIncrement()();
  TextColumn get name  => text()();
  TextColumn get email => text()();
}

// In your database class:
Future<List<User>> findUsersByName(String name) {
  // Drift ensures 'name' is a parameter, not part of the SQL code
  return (select(users)..where((u) => u.name.equals(name))).get();
}

With this approach, SQL injection is impossible, and your data layer is much easier to maintain.

B. Safe URL & Path Construction

Building URIs or file paths by hand invites subtle bugs and vulnerabilities. Always use Flutter’s built‑in helpers:

// Safe HTTP URL
final uri = Uri.https(
  'api.example.com',
  '/search',
  {'query': userInput}, // automatically percent‑encoded
);

// Safe file path
import 'package:path/path.dart' as p;
final safeName = p.basename(userInputFilename);
final file = File(p.join(appDir.path, safeName));

Uri and the path package handle encoding and normalization, so you never accidentally slip unsafe characters into a URL or path.

2. Continuous Security Testing & Maintenance

Validation logic isn’t “set and forget.” You must ensure your defenses stay aligned as your app evolves—new fields, screens, and data flows. Here’s how to bake security checks into your workflow:

A. Fuzzing with Unit & Integration Tests

Write tests that feed known attack patterns into your validation and data‑handling code:

// test/security_fuzz_test.dart
import 'package:flutter_test/flutter_test.dart';
import 'package:my_app/database.dart';

void main() {
  final db = MyDatabase();
  final payloads = [
    "Robert'); DROP TABLE users;--",
    "<script>alert(1)</script>",
    "../etc/passwd"
  ];

  for (var p in payloads) {
    test('findUsersByName rejects `$p`', () async {
      expect(
        () => db.findUsersByName(p),
        throwsA(isA<Exception>()),
      );
    });
  }
}

Extend these to widget tests, use WidgetTester or an external proxy to inject malformed deep links or simulate malicious user input.

B. Static Analysis & CI Integration

Automate linting and test runs so vulnerabilities never slip past a pull request:

# .github/workflows/flutter.yml
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: subosito/flutter-action@v2
        with:
          channel: stable
      - run: flutter pub get
      - run: flutter analyze --fatal-infos
      - run: flutter test --coverage

Add security‑focused lints (e.g., flagging rawQuery usage or unrestricted JavaScriptMode.unrestricted) to catch risky code patterns before review.

Integrate a dynamic analysis tool (e.g., OWASP ZAP or MobSF) into your CI pipeline to regularly scan your running app for input/output flaws and endpoint injection points. This is out of scope of this article and requires a dedicate article. I will tend to write about them but also let me know if this is interesting to you so I can focus on prioritizing it for you.

If you're using Firebase Cloud Functions as your backend, don’t rely on client-side validation alone. Functions receive raw data directly from users, and even though the UI might enforce types and formats, an attacker can bypass the frontend and call the function directly using tools like Postman or a custom app.

// BAD: Accepts user-supplied amount blindly
exports.processPayment = functions.https.onCall((data, context) => {
  const amount = data.amount;
  // processes payment...
});

This opens the door to abuse if the amount is not a number, or it's negative, or too large.Always validate critical fields on the backend, even if they've already been checked on the client:

if (typeof data.amount !== 'number' || data.amount <= 0 || data.amount > 100000) {
  throw new functions.https.HttpsError('invalid-argument', 'Invalid amount');
}

Whether it’s a Cloud Function or a Firestore path, your server-side Firebase logic should replicate the same rigorous checks as your Flutter app.

C. Validation Coverage & Maintenance

As OWASP warns under “Improper Data Validation,” adding a new form field and forgetting its validator is easy. Prevent that drift by centralizing and testing your validators:

// validators.dart
final Map<String, FormFieldValidator> validators = {
  'email': emailValidator,
  'password': passwordValidator,
  'phone': phoneValidator,
  // …when you add 'address', add addressValidator here
};

Then verify coverage with a unit test:

// test/validator_coverage_test.dart
import 'package:flutter_test/flutter_test.dart';
import 'package:my_app/validators.dart';

void main() {
  test('All form fields have validators', () {
    final formFields = ['email', 'password', 'phone'];
    expect(
      validators.keys.toSet(),
      equals(formFields.toSet()),
      reason: 'Form fields and validators must stay in sync',
    );
  });
}

And never skip calling _formKey.currentState!.validate() on submit—otherwise, none of your carefully written validators will run.

Quick Checklist

Before we end this article, I made a quick checklists for you to ensure you are on top of the security for your application to comply the M4 best practices.[ ] All user inputs run through allow‑lists and type checks[ ] Outputs to HTML/CSV/URLs are sanitized/escaped[ ] Percent‑encoding & Unicode are canonicalized before validation[ ] NoSQL/GraphQL filters validated against field‑name allow‑lists[ ] Integrity of persisted/cached data verified (HMAC/checksum)[ ] CI runs both static (lint/SAST) and dynamic (fuzz/DAST) tests[ ] Firestore paths are validated and encoded before use[ ] Firebase Cloud Functions enforce server-side schema validation

Conclusion

Remember that finance app wiped out by a single SQL payload? By layering strict input checks, context‑aware rules, and continuous testing, you build a fortress where no malicious data can slip in or out. Until then, keep validating like a fortress guard, no unchecked carriage should pass!Stay tuned for our next article on M5: Insecure Communication.

OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter

Welcome back to our series on the OWASP Mobile Top 10 for Flutter developers. We’ve already explored M1: Mastering Credential Security in Flutter and M2: Inadequate Supply Chain Security. Now, we dive into M3: Insecure Authentication and Authorization, a classic yet devastating threat that can quietly unravel even the most polished Flutter apps.In this post, we’ll explain the difference between these two core security pillars and explore how they are implemented (or misimplemented) in Flutter apps while weaving in guidance from OWASP’s Mobile Application Security Verification Standard (MASVS) and real-world attack models

You can also find this topic in my book FlutterEngineering and follow along in my dedicated YouTube playlist if you prefer a more visual walkthrough.

What Is M3, and Why Should Flutter Developers Care?

When building a Flutter app, it's easy to get excited about crafting beautiful interfaces and smooth animations. But beneath the surface of those seamless user experiences lies something far more critical: authentication and authorization. These two processes aren't just technical terminology; they're the protection of your users' identities and the gatekeepers of your data.Authentication ensures users are genuinely who they claim to be, while authorization determines precisely what each authenticated user can and cannot do within your app. Think of authentication as checking IDs at the front door and authorization as ensuring guests don't wander into restricted rooms once inside.

But what happens when these essential controls are weak or poorly implemented? Unfortunately, the consequences are severe and all too common:

Malicious users can effortlessly impersonate others, assuming their identities to access sensitive information.
Attackers may elevate their privileges, gaining admin-like power to manipulate your app in ways never intended.
Confidential user data—from financial details to private messages—could become open to unauthorized eyes.
Unsecured transactions could lead to fraudulent actions without the user's knowledge or consent.
Worst of all, critical administrative operations could fall into malicious hands, allowing attackers to disrupt or damage your entire system.

Flutter apps, despite their convenience and rapid development cycles, often fall victim to these vulnerabilities because developers may inadvertently make mistakes like:

Storing authentication tokens insecurely makes them easy prey on compromised devices.
Relying solely on local checks, believing users won’t reverse-engineer or manipulate local logic.
Neglecting strong, consistent server-side verification, thus leaving gaps that attackers can exploit.
Placing blind trust in user-supplied data for permissions and roles, making privilege escalation trivial.

Adding fuel to the fire, mobile apps frequently require offline functionality, leading developers to handle authentication and authorization locally. This is convenient but also risky. Attackers have near-total control over rooted or jailbroken devices, meaning client-side security alone isn't enough.

Let me show you a typical authorization flow in Flutter:

We will go to each part of this in the following sections. Let's explore.

OWASP’s Perspective to See the Bigger Picture

To put these threats into perspective, OWASP classifies insecure authentication and authorization (M3) as one of the most critical issues facing mobile apps. Attackers targeting M3 vulnerabilities often use automated tools, custom scripts, or malicious software on rooted devices. They bypass client-side protections by directly communicating with backend services, forging user roles, or exploiting hidden API endpoints.For Flutter developers, understanding this bigger picture means recognizing that threats aren't theoretical; they’re driven by real attackers who exploit predictable patterns like weak credential policies, insecure token storage, or insufficient server-side checks. Ignoring these security measures doesn't just risk your data; it can lead to severe legal, financial, and reputational damage.By fully grasping the OWASP threat model, you'll build stronger, more resilient authentication and authorization systems, protecting your Flutter applications from common yet devastating attacks.

The Importance of Server-Side Validation

While client-side validation is essential for enhancing user experience and catching errors early, it cannot be trusted as the sole line of defense. Client-side checks can be bypassed, manipulated, or entirely disabled by attackers using reverse engineering techniques or network interception. This is why server-side validation is non-negotiable when it comes to securing your Flutter app.

Key Reasons to Prioritize Server-Side Validation

Bypass Vulnerabilities: Attackers can modify client-side code or intercept requests, rendering any client-side validation ineffective. Server-side checks ensure that every request is verified on a trusted environment.
Consistent Enforcement: Server-side validation provides a centralized enforcement point for critical security rules, such as strong password policies, token verification, and role-based access controls. This reduces inconsistencies that might arise when multiple clients handle validation.
Mitigation of Automated Attacks: With server-side mechanisms like rate limiting, account lockouts, and detailed logging, you can better detect and mitigate brute-force or credential stuffing attacks that bypass client-side measures.
Secure Sensitive Operations: Operations involving sensitive data or administrative functions must always be validated on the server to prevent unauthorized access, even if the user interface hides certain options.

Best Practices for Implementing Server-Side Validation

Enforce Data Integrity: Always verify user input, tokens, and permissions on the server, regardless of the client-side checks performed.
Utilize Secure Tokens: Implement short-lived access tokens and robust refresh mechanisms. Validate these tokens on every request to ensure that the session remains secure.
Role and Permission Checks: Never trust client-supplied data for critical decisions like role assignments. Use server-side logic to confirm the user's privileges before executing any sensitive operation.
Centralized Logging and Monitoring: Incorporate logging of all critical actions and validation failures. This centralized logging not only helps in early detection of suspicious activities but also aids in post-incident analysis.

Remember: The principle of "defense in depth" means that every layer of your app, from the client to the server, must work together to ensure robust security.

Common Authentication Vulnerabilities in Flutter

Let’s walk through these common pitfalls together, exploring what typically goes wrong and how easily attackers can exploit these vulnerabilities. We’ll then examine robust solutions so you can confidently protect your apps from these risks.

Weak Password Policies

One of the simplest yet most overlooked vulnerabilities is weak password enforcement. At first glance, handling password inputs might seem straightforward. You create a simple registration form in Flutter, add a password field, and ensure users can't leave it blank. Your form might look something like this:

TextFormField(
  obscureText: true,
  decoration: InputDecoration(labelText: 'Password'),
  validator: (value) {
    if (value == null || value.isEmpty) {
      return 'Please enter your password';
    }
    // Ideally add length and complexity checks here
    return null;
  },
);

This snippet feels harmless; after all, you're verifying that users at least provide something. But consider this: attackers armed with automated tools can attempt thousands of common passwords in just a few minutes. With no complexity checks, no minimum-length enforcement, and no server-side protection, you've unintentionally provided them with a golden opportunity.Attackers thrive in these environments, efficiently bypassing client-side validations or intercepting requests to test countless weak passwords, such as "123456," "password," or "qwerty."

Why Does This Happen So Often?

Flutter developers sometimes mistakenly assume client-side validation is sufficient. However, attackers can effortlessly bypass local validation by manipulating the app or intercepting network requests.
As detailed in our 'Server-Side Validation' section, client-side password checks are only the first line of defense.
Weak passwords or predictable patterns make credential stuffing and brute-force attacks effective and widespread.

How to Secure Password Handling

Implementing strong password security is straightforward, but it requires diligence and consistent enforcement:

Always validate passwords on the backend rather than relying on client-side checks alone.
Enforce complexity rules:
- Require passwords to be at least 8–12 characters.
- Mandate a mix of uppercase letters, lowercase letters, numbers, and special characters.
Protect against automated attacks using rate limiting, account lockouts, or progressive delays after multiple failed login attempts.

Insecure Token Storage

We have talked about this in previous articles, too.Think of authentication tokens as master keys that open doors to your application’s sensitive areas. When users log in, your Flutter app typically receives a token, often a JWT, that proves their identity for future interactions. But what happens if these critical tokens aren't stored securely?Imagine you decide to store tokens using Flutter’s convenient SharedPreferences:

// Insecure storage: tokens are stored in plain text, making them vulnerable on rooted devices.
final prefs = await SharedPreferences.getInstance();
await prefs.setString('authToken', token); // store in pure text

// Secure storage: tokens are stored using hardware-backed mechanisms.
final secureStorage = FlutterSecureStorage();
await secureStorage.write(key: 'authToken', value: token);

Looks simple, right? Unfortunately, convenience here comes with significant risk. On a rooted Android device, an attacker can easily navigate to:

/data/data/com.example.myapp/shared_prefs/

There, your neatly stored tokens sit completely unencrypted, like spare house keys under a welcome mat. Attackers won't even need specialized tools—these tokens are accessible and readable in plain text, ready for misuse.

Why Does This Happen?

Flutter’s SharedPreferences is great for quickly storing user preferences, but it's never meant to handle sensitive data.
Remember, as highlighted in our 'Server-Side Validation' section, local storage should never be the only safeguard.
Developers often favor convenience and session persistence without fully recognizing the security implications.

Why Does This Happen?

Flutter’s SharedPreferences is great for quickly storing user preferences, but it's never meant to handle sensitive data.
Remember, as highlighted in our 'Server-Side Validation' section, local storage should never be the only safeguard.
Developers often favor convenience and session persistence without fully recognizing the security implications.

How to Securely Store Tokens

Fortunately, Flutter offers safer alternatives designed specifically for sensitive data. The best practice is to use flutter_secure_storage, which leverages Android's hardware-backed Keystore and iOS's secure Keychain. Here's how easily you can implement this:

import 'package:flutter_secure_storage/flutter_secure_storage.dart';

final secureStorage = FlutterSecureStorage();

await secureStorage.write(key: 'authToken', value: token);

Missing Multi-Factor Authentication (MFA)

Passwords alone are rarely strong enough, especially in mobile apps where convenience wins out over robust security. Users commonly select easy-to-remember passwords or reuse them across multiple platforms, dramatically increasing the risk of compromise. If your Flutter app relies solely on passwords, you leave a single weak point between your users and attackers.Imagine a banking app built in Flutter that requires only a username and password to log in, no OTP verification, no biometric checks, and nothing additional. If those credentials get leaked (and often do), an attacker can stroll through your security.

Why Does This Happen?

Passwords are easily compromised: Users frequently reuse them across sites, increasing the likelihood of being exposed to a breach.
Phishing and social engineering: Attackers constantly attempt to trick users into giving away credentials.
SIM-swap attacks: Even if SMS-based MFA is used, attackers might intercept messages, making simple SMS-based verification inadequate.

Without MFA, every leaked or phished password represents an immediate risk of complete account takeover.

Best Practices for Implementing MFA

Implementing Multi-Factor Authentication is the most effective way to protect your users and your app. MFA provides additional security layers beyond the password, significantly limiting damage from leaked credentials.Here’s how you can integrate robust MFA into your Flutter apps:

TOTP-based authentication: Use authenticator apps (like Google Authenticator or Authy) to generate unique, time-limited codes for each login.
Push-based notifications: Prompt users to approve logins through notifications on their trusted devices.
Biometric authentication: Utilize fingerprints or facial recognition as a secure fallback, especially for sensitive actions.

Implementing MFA using trusted third-party providers or custom backend logic dramatically enhances your security posture. It ensures that even if passwords are compromised, attackers face substantial barriers preventing unauthorized access.

Biometric Authentication Issues

Biometric authentication, like fingerprints or facial recognition, offers impressive convenience and is often perceived as highly secure. However, when biometrics are misused or incorrectly implemented, they can create a dangerous illusion of security.Consider a Flutter-based note-taking app that secures sensitive notes with a fingerprint scan, utilizing Flutter’s local_auth package.The implementation might look something like this:

import 'package:local_auth/local_auth.dart';

final localAuth = LocalAuthentication();

Future<bool> authenticateWithBiometrics() async {
  final isAvailable = await localAuth.canCheckBiometrics;
  if (!isAvailable) return false;

  return await localAuth.authenticate(
    localizedReason: 'Authenticate to access secure notes',
    options: const AuthenticationOptions(biometricOnly: true),
  );
}

This seems robust, right? Unfortunately, because this check occurs entirely on the client side, it's vulnerable to manipulation. An attacker with access to a rooted device can easily bypass or entirely fake the biometric verification by modifying the app, granting themselves unrestricted access to protected notes.

Why Does This Happen?

Purely local checks: Without verifying biometric success on the server-side, the local-only validation can easily be bypassed.
No secure fallback: The absence of an alternative verification (like a PIN or password) leaves your app vulnerable if biometrics are compromised or unsupported.
Missing session-based validation: If biometrics directly unlock sensitive content without validating sessions or tokens, the security of your data depends entirely on local security.

Best Practices for Secure Biometric Integration

To leverage biometrics safely in your Flutter applications:

Use biometrics to unlock securely stored tokens, not directly to grant immediate data access.
As outlined in our 'Server-Side Validation' section, biometrics should only serve as an initial step to unlock secure tokens. Always combine them with server-side validations to prevent bypass attempts.
Provide secure fallback methods (such as PIN or password) for devices without biometric support or in cases of biometric failure.

Following these guidelines will significantly enhance security, transforming biometrics from a misleading comfort to a genuinely robust protective measure.

Poor Session Management

Session management is the quiet guardian behind your app's security. Unfortunately, it's often overlooked—leading to tokens that never expire, missing logout functionality, and the absence of proper token-refresh logic. Such oversights can severely weaken your app’s security posture.Imagine a Flutter app designed to keep users conveniently logged in indefinitely.On the surface, users might appreciate the seamless experience. But what if their device gets lost, stolen, or compromised? Without a proper timeout or refresh strategy, the attacker instantly inherits an endless session, gaining continuous access to sensitive user data.

Why Does This Happen?

Long-lived tokens: Tokens with no expiration date or excessively long lifetimes significantly increase risk if they're ever compromised.
Lack of automatic mitigation: Without token expiration, there's no built-in mechanism to reduce damage or automatically revoke access.
Simplified session hijacking: Attackers find it easier to hijack sessions when tokens never expire or there is no effective logout procedure.

Best Practices for Secure Session Management

To protect your users and secure their sessions effectively:

Issue short-lived access tokens (typically around 15 minutes), significantly reducing the exposure window if compromised.
Utilize secure refresh tokens, stored safely using flutter_secure_storage, to renew access seamlessly yet securely.
Consistently implement a robust logout mechanism that clears tokens both locally and server-side, ensuring no lingering sessions remain active after logout.
Store all session tokens securely, leveraging encrypted local storage mechanisms like flutter_secure_storage.

Bypassing Authentication Controls

Sometimes, the most dangerous vulnerabilities are the ones you didn't even realize existed. It's easy to assume that if a feature isn't visible or directly accessible from your app’s UI, users won't find or exploit it—but attackers frequently prove this assumption wrong.

Consider this real-world scenario: A Flutter-based health application had an internal testing endpoint at /test-patient-info. It was designed to simplify QA processes by quickly fetching sensitive patient data. Unfortunately, developers forgot to secure this endpoint properly before launching to production:

// A request made without any authentication header
// If the backend fails to verify a token, it may allow data retrieval.
final response = await http.get(Uri.parse('https://api.example.com/test-patient-info'));
if (response.statusCode == 200) {
  print('Data: ${response.body}');
} else {
  print('Unauthorized or Not Found');
}

Without requiring an authentication token or performing authorization checks, this seemingly hidden endpoint quietly exposed sensitive patient information to anyone who knew where to look.

Why Does This Happen?

Developers mistakenly assume that users will never discover or exploit specific endpoints, particularly those meant for internal QA or debugging.
Forgotten test routes remain active, silently waiting to be exploited in production.
UI-level gating, such as hiding buttons or options from the user interface, is incorrectly treated as adequate security, even though attackers frequently bypass client-side controls.

Best Practices for Securing All Endpoints

To prevent attackers from exploiting hidden or forgotten endpoints:

As discussed in our 'Server-Side Validation' section, relying solely on client-side restrictions, like hiding endpoints, is risky.
Conduct a thorough audit of all available routes and endpoints before releasing your app to production.
Remove or fully disable test or debug endpoints in your release builds, minimizing unnecessary attack surfaces.

Common Authorization Vulnerabilities in Flutter

Unfortunately, many Flutter developers fall into common authorization pitfalls even when authentication is done right. A frequent misconception is that if an option or endpoint is hidden from the UI, users won't find or misuse it.This assumption fails to recognize how easily attackers can reverse-engineer apps or intercept network calls to uncover hidden endpoints or functionalities.Let’s explore some of the most prevalent authorization mistakes Flutter apps encounter, understanding what goes wrong, why these issues arise, and, most importantly, how to avoid them.

Broken Object Level Authorization (BOLA/IDOR)

Imagine you're building a Flutter-based social media app where each user creates and views their posts. To load a specific post, you might write a straightforward function like this:

Future<String?> fetchPost(String postId) async {
  final response = await http.get(
    Uri.parse('https://api.example.com/posts/$postId'),
  );
  if (response.statusCode == 200) {
    return response.body;
  } else {
    return null;
  }
}

At first glance, everything seems fine. After all, the user is authenticated. However, consider what happens if your backend only verifies that the user is logged in but doesn't verify if the post belongs to that user. Attackers can exploit this weakness easily by guessing or incrementing the post IDs to access other users' posts:

GET https://api.example.com/posts/1024
GET https://api.example.com/posts/1025
GET https://api.example.com/posts/1026

If these identifiers (1024, 1025, 1026) are sequential or easily predictable, you've unintentionally allowed attackers to access sensitive content belonging to other users. This is precisely what's known as Broken Object Level Authorization (BOLA), also called Insecure Direct Object Reference (IDOR), which is one of the most commonly exploited vulnerabilities in APIs today.

How to Secure Your Flutter App Against BOLA

To prevent BOLA vulnerabilities effectively, you should implement the following best practices clearly and consistently:

1. Always Verify Resource Ownership Server-Side

When handling requests for specific resources, your backend must ensure the user requesting the resource owns or has permission to access it.

2. Use UUIDs or Non-Predictable Identifiers

Instead of using sequential numbers (like 1024, 1025, etc.), use universally unique identifiers (UUIDs). UUIDs make it virtually impossible for attackers to guess or enumerate resource identifiers.For example, your API endpoint might look like this:

GET https://api.example.com/posts/4a1f23e2-74f8-4915-bb69-ec8f5b1c3d2a

You can easily generate UUIDs in Dart with the uuid package:

import 'package:uuid/uuid.dart';

final uuid = Uuid();

// Creating a new post with a unique UUID
String newPostId = uuid.v4(); // Generates a random UUID

Your backend would store and reference these UUIDs, significantly reducing the risk of unauthorized access via ID enumeration.

3. Never Rely on Client-Side Authorization

It's tempting to rely on UI-level logic to hide options or functionalities a user shouldn’t access. However, attackers can bypass the client side entirely. Server-side checks must always be your ultimate line of defense.

Broken Function Level Authorization (BFLA)

Suppose you’re building an admin dashboard in your Flutter application. You carefully design the UI so that regular users don’t see sensitive actions like "Delete User," reserving this functionality exclusively for administrators.In your frontend, you have something like:

// Admin-only button, hidden from regular users:
if (currentUser.role == 'admin') {
  ElevatedButton(
    onPressed: () {
      deleteUser(targetUserId);
    },
    child: Text('Delete User'),
  );
}

You might feel confident after all, regular users can't see or interact with this button, right? Unfortunately, attackers don't need a visible button to exploit your app.They can directly call your API endpoint with crafted requests, completely bypassing UI restrictions:

final response = await http.post(
  Uri.parse('https://api.example.com/admin/deleteUser'),
  body: {'userId': 'targetUserId'},
);

If your server-side logic lacks a robust check verifying user privileges, a non-admin user can effortlessly execute administrative actions like deleting users—this vulnerability is known as Broken Function Level Authorization (BFLA).

Why Does This Happen?

Developers mistakenly assume UI-level restrictions are sufficient protection.
Server-side checks for user roles or permissions are either weak or missing entirely.
Attackers can easily discover and craft API requests manually—even hidden endpoints are discoverable through reverse engineering or network analysis.

How to Secure Your Flutter App Against BFLA

Here are proven approaches to ensure your application properly validates user privileges and permissions:

1. Implement Strict Role-Based Checks on the Server

Always enforce access control logic on your backend, validating explicitly whether the user making the request has the correct privileges:

import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_router/shelf_router.dart';

// Define an authenticated user model
class AuthenticatedUser {
  final String id;
  final String role;

  AuthenticatedUser({required this.id, required this.role});
}

// Handler function for deleting a user
Future<Response> deleteUserHandler(Request request) async {
  // Retrieve the authenticated user from the request context.
  final user = request.context['user'] as AuthenticatedUser?;
  if (user == null || user.role != 'admin') {
    // If the user is not authenticated or not an admin, return 403 Forbidden.
    return Response.forbidden(
      jsonEncode({'message': 'Unauthorized action'}),
      headers: {'Content-Type': 'application/json'},
    );
  }

  // Parse the request body to get the target user ID.
  final payload = jsonDecode(await request.readAsString());
  final targetUserId = payload['userId'];

  // Delete the user from the database.
  await deleteUserFromDatabase(targetUserId);

  // Return a successful response.
  return Response.ok(
    jsonEncode({'message': 'User deleted successfully'}),
    headers: {'Content-Type': 'application/json'},
  );
}

// Mock function to simulate deleting a user from a database.
Future<void> deleteUserFromDatabase(String userId) async {
  // Implement your deletion logic here.
  print('Deleting user with ID: $userId');
}

// Create and configure the router
Router getRouter() {
  final router = Router();
  router.post('/admin/deleteUser', deleteUserHandler);
  return router;
}

void main() async {
  final router = getRouter();
  // Create a pipeline with logging middleware.
  final handler = const Pipeline()
      .addMiddleware(logRequests())
      .addHandler(router);

  // Start the server on localhost at port 8080.
  final server = await io.serve(handler, 'localhost', 8080);
  print('Server listening on port ${server.port}');
}

This example ensures that only an authenticated user with an admin role can perform the delete operation.

2. Validate Roles Using Secure Tokens (JWT Claims)

Use JSON Web Tokens (JWT) to encode roles and permissions securely, allowing the server to validate these details without relying on client-supplied data:

{
  "sub": "user123",
  "role": "admin",
  "iat": 1711234567,
  "exp": 1711244567
}

When processing requests, the server must decode and verify the JWT claims thoroughly before allowing privileged actions.

3. Log and Monitor Abnormal Access Attempts

Ensure your backend actively logs all attempts—especially unsuccessful ones—to perform sensitive actions. Implement monitoring and alerts for suspicious behavior indicating potential attempts at privilege escalation:

import 'dart:convert';
import 'package:shelf/shelf.dart';

Future<Response> deleteUserHandler(Request request) async {
  final user = request.context['user'] as AuthenticatedUser;

  if (user.role != 'admin') {
    // Log suspicious activity
    print('⚠️ Unauthorized delete attempt by user: ${user.id}');

    // Notify your security team or alert system
    await alertSecurityTeam(user.id, 'Unauthorized deleteUser attempt');

    return Response.forbidden(
      jsonEncode({'message': 'Unauthorized action'}),
      headers: {'Content-Type': 'application/json'},
    );
  }

  // Extract data (e.g., userId) from request
  final payload = jsonDecode(await request.readAsString());
  final targetUserId = payload['userId'];

  // Proceed with authorized delete logic
  await deleteUserFromDatabase(targetUserId);

  return Response.ok(
    jsonEncode({'message': 'User deleted successfully'}),
    headers: {'Content-Type': 'application/json'},
  );
}

// Example of supporting classes/functions:
class AuthenticatedUser {
  final String id;
  final String role;

  AuthenticatedUser({required this.id, required this.role});
}

Future<void> alertSecurityTeam(String userId, String message) async {
  // Integrate your alert mechanism here (Slack, Email, Logs, etc.)
  print('🚨 Alert Security: User: $userId, Message: $message');
}

Future<void> deleteUserFromDatabase(String userId) async {
  // Your database deletion logic here
}

Improper Handling of Roles & Permissions

A common pitfall among Flutter developers is mistakenly placing trust in data controlled by clients, particularly roles and permissions. Imagine your app stores a user's role locally and includes it in request headers.Your backend API might initially look like this:

GET https://api.example.com/admin/dashboard
Headers:
  role: "user"

An attacker quickly realizes that changing this header from role: "user" to role: "admin" grants unrestricted administrative access:

GET https://api.example.com/admin/dashboard
Headers:
  role: "admin"

In line with our 'Server-Side Validation' best practices, never trust client-supplied role data. Always verify roles and permissions on the backend to ensure proper authorization.

Why Does This Happen?

Developers sometimes incorrectly assume clients will behave honestly, trusting user-controlled data such as request headers or local state.
The backend lacks robust verification of user roles or permissions.
Client-side roles, stored locally or sent in request bodies or headers, can easily be tampered with.

Best Practices to Securely Handle Roles and Permissions

To protect your Flutter app effectively from role manipulation:

1. Encode Roles in Securely Signed Tokens (JWT Claims)

Use JWT (JSON Web Token) claims to encode user roles securely, ensuring they cannot be modified without detection:

// Example JWT payload
{
  "sub": "user123",
  "role": "admin",
  "exp": 1711244567
}

2. Never Trust Client-Supplied Data for Authorization

Always perform server-side validation using secure tokens. Verify the JWT claims carefully to ensure the user's role matches the privileges required to access the requested functionality:

import 'dart:convert';
import 'package:shelf/shelf.dart';

Future<Response> adminDashboardHandler(Request request) async {
  final user = request.context['user'] as AuthenticatedUser;

  if (user.role != 'admin') {
    return Response.forbidden(
      jsonEncode({'message': 'Forbidden'}),
      headers: {'Content-Type': 'application/json'},
    );
  }

  final dashboardData = await getAdminDashboardData();

  return Response.ok(
    jsonEncode(dashboardData),
    headers: {'Content-Type': 'application/json'},
  );
}

// Example supporting classes/functions:
class AuthenticatedUser {
  final String id;
  final String role;

  AuthenticatedUser({required this.id, required this.role});
}

Future<Map<String, dynamic>> getAdminDashboardData() async {
  // Fetch and return dashboard data securely
  return {
    'userCount': 2500,
    'activeSessions': 123,
    // Add additional admin-specific metrics here
  };
}

3. Maintain Roles in Secure Internal Databases

Always maintain roles and permissions internally on the server or through secure user databases, never trusting the client's submitted values. Use JWT claims merely to identify and cross-reference server-side data:

// Dart representation of secure JWT payload
class JwtPayload {
  final String userId;
  final String role;

  JwtPayload({required this.userId, required this.role});
}

Exposed or Hidden Admin Endpoints

It's tempting to believe that hiding an endpoint, such as one used during testing or development, is enough to keep it secure. Developers might think, "If users can't see it, they won't find it." But in security, hiding is never enough.Imagine you've developed a Flutter-based service with a backend API that includes an internal debugging route like /beta-endpoint. Perhaps it's intended to fetch all user emails for internal testing purposes quickly. In Dart, this endpoint might initially be written without proper protection, like this:

import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart';

// ⚠️ Insecure debug endpoint left active in production!
Router insecureRouter() {
  final router = Router();

  router.get('/beta-endpoint', (Request request) async {
    final emails = await database.getAllUserEmails(); // No authentication!
    return Response.ok(
      jsonEncode({'emails': emails}),
      headers: {'Content-Type': 'application/json'},
    );
  });

  return router;
}

Developers might forget or consider it safe because it doesn't appear in the app's UI. However, attackers regularly use automated tools, network analyzers, or reverse engineering techniques to uncover hidden API endpoints. Once discovered, endpoints lacking proper authentication and authorization become glaring vulnerabilities, exposing sensitive user data to unauthorized actors.Here is a good example:

import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart';

// Example user model
class AuthenticatedUser {
  final String id;
  final String role;
  AuthenticatedUser({required this.id, required this.role});
}

// Secure endpoint handler with authentication & authorization
Router secureRouter() {
  final router = Router();

  router.get('/beta-endpoint', (Request request) async {
    final user = request.context['user'] as AuthenticatedUser?;

    // Ensure endpoint is accessible only by authorized internal roles
    if (user == null || user.role != 'admin') {
      return Response.forbidden(
        jsonEncode({'message': 'Forbidden'}),
        headers: {'Content-Type': 'application/json'},
      );
    }

    final emails = await database.getAllUserEmails();

    return Response.ok(
      jsonEncode({'emails': emails}),
      headers: {'Content-Type': 'application/json'},
    );
  });

  return router;
}

// Mock database function (example)
class database {
  static Future<List<String>> getAllUserEmails() async {
    return ['[email protected]', '[email protected]'];
  }
}

Why Does This Happen? (OWASP Insight)

Developers often mistakenly rely on "security through obscurity," assuming hidden or undocumented endpoints won't be discovered.
Endpoint enumeration via automated scanning, fuzzing, or app reverse-engineering is common among attackers, quickly revealing these "hidden" routes.
Leftover endpoints from testing phases frequently remain unsecured and active, silently waiting to be exploited.

Best Practices for Securing Your API Endpoints

To ensure hidden or administrative endpoints don't compromise your app's security:

As part of your deployment process, regularly audit all API routes, identifying endpoints that aren't meant for public use.
Separate development and production environments—remove or fully disable development-only endpoints before your app reaches production.
Apply strict, role-appropriate authentication and authorization to every endpoint, regardless of its intended use or visibility.

Additional Topics & Best Practices

To avoid repetition, here’s a concise recap of critical authentication and authorization practices covered earlier:

Strong Password Enforcement: Always enforce complexity and length rules server-side, with lockout mechanisms.
Secure Token Storage: Use flutter_secure_storage to store JWT tokens safely.
Multi-Factor Authentication (MFA): Implement MFA (TOTP, push notifications, biometrics) to secure critical actions.
Proper Biometric Use: Employ biometrics to unlock secure tokens; never rely solely on biometrics for sensitive data access.
Robust Session Management: Issue short-lived JWT access tokens with secure refresh tokens. Always validate JWT claims and include necessary metadata.

Apart from these, let me review a few more practical tips.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) maps users to predefined roles (e.g., Admin, Editor, Viewer) and limits each role to specific permissions. This prevents users from stepping outside their assigned boundaries. Instead of checking individual user permissions every time, the system checks the role, and that role has known capabilities.

Define Roles. Decide what roles your application needs. Keep them minimal and purposeful (e.g., an e-commerce platform might have Customer, Seller, Admin).
Assign Permissions. Each role has a set of allowed actions, like CreateOrder, ModifyProduct, or DeleteUser.
Enforce at the Server. The server verifies the user’s role, typically from a JWT claim or a session lookup, and checks whether the requested action is permitted.

A Flutter UI can use roles to hide or show features, but the critical check remains on the server. Even if someone modifies the Flutter app to expose an admin feature, the server should reject the request if their role is not actually Admin.

Secure Third-Party Authentication (Google, Apple, etc.)

Third-party authentication services like Google or Apple Sign-In offer users a seamless login experience. But convenience doesn't automatically equal security. Your backend must independently verify tokens provided by third-party services to ensure authenticity.A typical Google Sign-In integration in Flutter might look like this:

import 'package:google_sign_in/google_sign_in.dart';

final GoogleSignIn _googleSignIn = GoogleSignIn(scopes: ['email']);
final account = await _googleSignIn.signIn();
final auth = await account?.authentication;

final idToken = auth?.idToken;
final accessToken = auth?.accessToken;

// Send ID token securely to your backend for validation
await http.post(
  Uri.parse('https://your-api.com/auth/google'),
  headers: {'Content-Type': 'application/json'},
  body: jsonEncode({'idToken': idToken}),
);

Never assume the ID token is valid just because Google issued it. Always verify the token server-side before granting access.Here’s how you might implement a token validation service in Dart using HTTP:

import 'dart:convert';
import 'package:http/http.dart' as http;
import 'package:shelf/shelf.dart';

const googleClientId = 'your-google-client-id.apps.googleusercontent.com';

Future<Response> googleAuthHandler(Request request) async {
  final body = await request.readAsString();
  final data = jsonDecode(body);
  final idToken = data['idToken'];

  final googleVerificationUrl =
      'https://oauth2.googleapis.com/tokeninfo?id_token=$idToken';

  final response = await http.get(Uri.parse(googleVerificationUrl));

  if (response.statusCode != 200) {
    return Response.forbidden(
      jsonEncode({'error': 'Invalid Google token'}),
      headers: {'Content-Type': 'application/json'},
    );
  }

  final payload = jsonDecode(response.body);

  if (payload['aud'] != googleClientId) {
    return Response.forbidden(
      jsonEncode({'error': 'Invalid audience'}),
      headers: {'Content-Type': 'application/json'},
    );
  }

  final userId = payload['sub'];
  final email = payload['email'];

  // TODO: Create or fetch the user in your own system
  final sessionToken = await createSessionForUser(userId, email);

  return Response.ok(
    jsonEncode({'sessionToken': sessionToken}),
    headers: {'Content-Type': 'application/json'},
  );
}

Future<String> createSessionForUser(String userId, String email) async {
  // Your logic to create or resume a user session securely
  return 'secure-session-token-for-$userId';
}

Principle of Least Privilege

The "Principle of Least Privilege" is essential to secure authorization. Simply put, users should only have the minimum permissions necessary to perform their tasks—no more, no less.Consider a Flutter e-commerce app scenario where sellers manage product listings. Each seller should only manage their own items. Granting broader administrative privileges unnecessarily exposes sensitive data or functionality.Why this matters:

Excessive permissions amplify the impact if an account is compromised.
Attackers thrive in environments with broadly assigned roles.

Best practices to implement least privilege:

Clearly define roles (e.g., Admin, Editor, Seller, Viewer) and associated permissions.
Regularly audit permissions to remove unnecessary privileges.
Temporarily elevate permissions only when essential, reverting immediately afterward.

JWT role example:

{
  "sub": "user456",
  "role": "seller",
  "permissions": ["manageOwnProducts", "viewOrders"]
}

Server-side enforcement

import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart';

// Mock product model
class Product {
  final String id;
  final String ownerId;

  Product({required this.id, required this.ownerId});
}

// Mock authenticated user model
class AuthenticatedUser {
  final String id;
  final String role;
  final List<String> permissions;

  AuthenticatedUser({
    required this.id,
    required this.role,
    required this.permissions,
  });
}

// Secure route to update product info
Router sellerRouter() {
  final router = Router();

  router.put('/products/<id>', (Request request, String id) async {
    final user = request.context['user'] as AuthenticatedUser?;
    if (user == null) {
      return Response.forbidden(jsonEncode({'message': 'Authentication required'}));
    }

    // Fetch the product
    final product = await getProductById(id);

    // Check ownership and permission
    if (product.ownerId != user.id || !user.permissions.contains('manageOwnProducts')) {
      return Response.forbidden(
        jsonEncode({'message': 'Unauthorized to modify this product'}),
        headers: {'Content-Type': 'application/json'},
      );
    }

    // Update product logic here...
    await updateProduct(id, request);

    return Response.ok(
      jsonEncode({'message': 'Product updated successfully'}),
      headers: {'Content-Type': 'application/json'},
    );
  });

  return router;
}

// Mock DB lookup
Future<Product> getProductById(String id) async {
  return Product(id: id, ownerId: 'user456');
}

// Mock update
Future<void> updateProduct(String id, Request request) async {
  // Update logic...
}

Runtime Protection in Flutter (RASP)

You’ve implemented secure authentication, stored tokens safely, and enforced strict role-based access on your backend. You’ve checked all the boxes. But here’s the uncomfortable truth: even with all that in place, your app can still be tampered with—at runtime—especially on rooted or jailbroken devices.This is where Runtime Application Self-Protection (RASP) becomes critical. Unlike static protections, RASP monitors your app’s environment in real time, detecting and responding to suspicious behavior while it is running.

Real-World Attack Scenario

Consider this scenario: You've meticulously secured your Flutter app by enforcing strong password policies, securely storing tokens, and implementing rigorous role-based access control on your backend APIs. You feel confident your app is secure.However, an attacker installs your app on a rooted device using sophisticated tools like Frida or Xposed. They can bypass local biometric authentication checks, intercept and manipulate API requests, and disable crucial security logic. Without runtime protection measures, you'd likely never detect this active manipulation, exposing sensitive user data.

How to Defend Against Runtime Threats with freeRASP

To close this final security gap, consider integrating Runtime Application Self-Protection (RASP) into your Flutter app. RASP actively monitors and responds to runtime threats, significantly reducing the risk of real-time app tampering.One effective Flutter-compatible RASP solution is freeRASP, which offers easy-to-integrate runtime threat detection. Here's a practical example of how simple it is to set up your Flutter project:

Future<void> _initializeTalsec() async {
  final config = TalsecConfig(
    androidConfig: AndroidConfig(
      packageName: 'com.aheaditec.freeraspExample',
      signingCertHashes: ['AKoRuyLMM91E7lX/Zqp3u4jMmd0A7hH/Iqozu0TMVd0='],
      supportedStores: ['com.sec.android.app.samsungapps'],
      malwareConfig: MalwareConfig(
        blacklistedPackageNames: ['com.aheaditec.freeraspExample'],
        suspiciousPermissions: [
          ['android.permission.CAMERA'],
          ['android.permission.READ_SMS', 'android.permission.READ_CONTACTS'],
        ],
      ),
    ),
    iosConfig: IOSConfig(
      bundleIds: ['com.aheaditec.freeraspExample'],
      teamId: 'M8AK35...',
    ),
    watcherMail: '[email protected]',
    isProd: true,
  );

  await Talsec.instance.start(config);
}

What Does freeRASP Detect?

freeRASP continuously scans and detects:

Rooted or jailbroken devices
Debugger attachment
Emulator usage
Binary tampering or re-signing
SSL pinning bypass attempts

Why Runtime Protection is Essential

Even the most substantial design-level security can fail when attackers actively tamper with your app during runtime. RASP provides a critical, proactive defense layer, monitoring your app's environment continuously. It detects threats as they occur and allows your app to react in real-time, making it significantly harder for attackers to succeed.In essence, Runtime Application Self-Protection bridges the critical gap between security by design and security in practice, giving you peace of mind that your Flutter app remains protected, no matter how sophisticated the attack.Here is a layered security model to show what are the level of check for a simple input:

Now let me introduce you a quick checklist that can help you be on top of security of your app.

Checklist for Secure Flutter Authentication & Authorization:

[ ] Enforce strong password policies with both client- and server-side validation.

[ ] Store tokens using secure methods (e.g., flutter_secure_storage).

[ ] Implement multi-factor authentication (MFA) to add extra security layers.

[ ] Validate user roles and permissions exclusively on the server.

[ ] Use runtime protection (e.g., freeRASP) to detect live threats.

[ ] Regularly audit and remove unnecessary endpoints and debugging routes.

Conclusion

Never rely solely on your Flutter app’s UI for access control. Assume every device is potentially compromised, validating all actions server-side and layering defenses—secure token storage, multi-factor authentication, biometrics, and passwords. Runtime protection (RASP) detects and actively responds to live threats.Securing authentication and authorization in Flutter isn't a one-time fix—it's an ongoing process. By consistently applying these best practices, you'll build apps users can trust, enabling your team to scale securely and frustrating attackers at every step.

OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart

In this fifth installment of our OWASP Top 10 series for Flutter developers, we shift focus to M5: Insecure Communication.In earlier parts, we tackled , , , and , each playing a crucial role in app security. But M5 strikes at the core of how mobile apps operate: how data moves in and out of your Flutter app.

Picture this, you’re in a cozy café, laptop open, integrating a new feature. You join the free Wi‑Fi, hit Run, and data starts to flow. What you don’t see is someone on that same network quietly capturing every byte, login tokens, profile calls, even payment info, because it’s traveling like postcards through a crowded street. That’s the heart of insecure communication.

This article isn't just about fixing bugs, it's about understanding how data is exposed, how attackers think, and how you can prevent silent breaches before they start.Then, let's get started

What Is “Insecure Communication”?

It’s every moment when your data can be watched, intercepted, or altered while in transit.Insecure communication shows up any time the bytes leaving your Flutter app—or your Dart backend—can be read, replayed, or rewritten by someone who wasn’t supposed to see them. It’s not just about typing https:// in your URLs. It’s about every transport your app relies on and every trust decision your code makes along the way.

Remember that café scene? If your request flies in the clear, the stranger at the next table can read or even modify it. And even when we think we’re being careful, we sometimes stub out certificate checks during testing, accept sketchy proxies during debugging, or log sensitive payloads in places we shouldn’t. These shortcuts pull us right back into danger—even if we’re technically using HTTPS.

Core Channels

Now that we’ve seen what insecure communication looks like in practice, let’s break down the channels where your data flows. We’ll get to code shortly, but first, here’s where risks tend to hide.These are the lifelines of your app. If any of them are exposed, everything else downstream is vulnerable.REST / GraphQLAlways use https://. Never put credentials or tokens in query strings—send them in headers or the body.

WebSocketsUse wss://, never ws://. Apply the same certificate validation and pinning logic as your REST layer.

If you’re using GraphQL subscriptions with graphql_flutter, confirm the client connects over wss:// and inherits your validation logic. No exceptions.

Raw TCP & gRPCEncryption is not optional. For raw sockets, wrap in SecureSocket. For gRPC, use ChannelCredentials.secure() and pin the server cert like you would for any HTTPS call.

SMS One-Time CodesAvoid them where possible, they’re vulnerable to SIM swaps and silent interception. If you must use them, expire them quickly and add detection for suspicious activity.Bluetooth & NFCPairing doesn’t mean encryption. Use BLE Secure Connections for Bluetooth, and encrypt NFC payloads end-to-end.

Who’s Listening?

No matter which transport you choose, if your app sends data in the clear—or trusts the wrong certificate—you’re vulnerable. Here are the common actors waiting to take advantage:

Passive listeners on public or compromised networks
Active man-in-the-middle attackers who intercept or inject traffic
Rogue access points (evil-twin Wi-Fi, hijacked routers)
On-device malware or tools running on rooted/jailbroken phones
Enterprise or MDM-pushed root CAs that override your app’s trust settings

Even one misconfigured transport can expose your entire session.Next, we’ll dive into the most common and preventable mistake: letting http:// endpoints sneak into production.

From HTTP to HTTPS

The fastest way to lose user trust, and data, is to let a single http:// endpoint slip into production. Before we talk about certificate pinning or advanced validation, we need to eliminate the most basic mistake: allowing unencrypted traffic in the first place.

Why Plain HTTP Is a Silent Killer

Using http:// is like taping your house key to the front gate—anyone walking by can grab it. Traffic moves in cleartext: tokens, cookies, form data, even search queries. All of it is readable to anyone on the same network, or logged by any proxy in the chain.And worse? A man-in-the-middle doesn’t even have to “break” encryption—because there isn’t any.The fix isn’t glamorous, but it’s non-negotiable:Encrypt every byte in transit and refuse to speak plaintext, ever.

Get a Certificate (Two Paths)

If you’re running a Dart backend—whether with shelf, HttpServer, or another server framework—you need a TLS certificate to serve HTTPS. This allows your Flutter app to connect securely, validate the server’s identity, and lay the foundation for things like certificate pinning.

Let’s look at two common paths: one for production deployments, and one for local development. You can also get certificates from a cloud provider or third-party CA—more on that below.

Option 1: Trusted Certificate (Let’s Encrypt or Third-Party)

For production, use a publicly trusted certificate from:

(free, automated)
Your cloud provider (e.g., AWS ACM, Google Managed Certs, Azure App Service)
A third-party certificate authority like DigiCert, GlobalSign, or ZeroSSL

Here’s how to set one up using Let’s Encrypt and Certbot on Ubuntu:

To test auto-renewal:

Certificates will be saved to:

You’ll reference these in Dart using SecurityContext() when starting your server.

💡 If you’re using a cloud platform (e.g., AWS, GCP, Azure), they may handle TLS termination for you. In that case, your Dart backend only sees HTTPS traffic forwarded as HTTP from the load balancer.

Option 2: Self-Signed Certificate (for Local Development)

For local testing and emulator development, a self-signed cert works fine. It’s not trusted by browsers or real devices—but that’s okay in dev. You’ll still benefit from full HTTPS support in your backend and Flutter app.To generate one using OpenSSL:

This creates two files:

localhost.crt — the certificate
localhost.key — the private key

Save these in your project directory or anywhere accessible by your Dart server.

Serve HTTPS in Dart with Shelf

Here’s how to use either cert type in a Dart backend with the shelf package:

⚠️ If you're using a self-signed cert, your Flutter app may reject the connection unless you override validation during development (more on that in section 4).

Here is now how we run our application with https supported.

While this seems to be more backend related, but we can also make sure our Flutter is adhering to best practices.

Lock Your App to HTTPS Only

Ensuring that your app refuses to connect to any HTTP endpoints is crucial. This prevents your app from accidentally leaking sensitive data over unencrypted channels. Let’s configure both Android and iOS to enforce HTTPS-only communication and block any insecure traffic.

Android:

Android gives you granular control over cleartext (non-HTTPS) traffic through Network Security Config. This is where you tell the app to only use HTTPS for production traffic, while allowing cleartext only for certain cases (like local development).

Create or modify the network_security_config.xml file in your project:
Path: android/app/src/main/res/xml/network_security_config.xml.

cleartextTrafficPermitted="false": This ensures that cleartext traffic (i.e., http://) is blocked for all domains.
The domain field specifies that only secure traffic (https://) is allowed for api.yourdomain.com and its subdomains.

Reference the network_security_config.xml file in your AndroidManifest.xml:
Path: android/app/src/main/AndroidManifest.xml.

Inside the <application> tag, add:

This step ensures that your app adheres to the defined network security rules.

Need to Allow http://10.0.2.2 for Local Development (Emulator)?For local development on Android, the emulator uses http://10.0.2.2 as the host for local services. To allow cleartext traffic for this during debugging, add a second domain-config block under the <network-security-config>:

let me give you a quick tip, wrap this configuration in a debug-only resource to ensure that it doesn't end up in production builds.

iOS: App Transport Security (ATS)

iOS enforces secure connections by default through App Transport Security (ATS), blocking any cleartext (HTTP) traffic. However, sometimes you might need to allow insecure connections during development, especially for local testing or non-production services.

Modify your Info.plist file (located at ios/Runner/Info.plist):

Add or modify the following ATS settings:

This configuration:

Disables arbitrary loads (HTTP connections) for production builds.
Allows insecure connections (HTTP) only for localhost, useful when you're testing locally during development.

Test your setup:
Build a release version of your app (via flutter build ios), then try hitting an http:// URL. You should see it fail as expected—indicating that your app is correctly enforcing HTTPS.

The One‑Line Secure Client in Flutter

You don’t need complex setups to ensure secure HTTP requests. Dart’s http package uses default TLS validation, so you can trust it right out of the box. Here’s how you make a secure request with it:

This simple line of code ensures that:

The request will only succeed if the connection is encrypted (via HTTPS).
If the server presents an invalid or expired certificate, Dart will throw a handshake exception, preventing the connection from being established.
Your app will fail closed (securely) rather than silently accepting a downgraded insecure connection.

If you need additional layers of security, like certificate pinning or advanced validation, you can wrap this client using IOClient from the http/io_client.dart package, giving you finer control over certificate handling.

TLS 101: Handshake, Trust Stores & Default Validation

Before diving into certificate pinning or enforcing strict policies, it’s essential to understand how TLS (Transport Layer Security) works in Dart and Flutter by default. TLS is the foundation of secure communication, and it’s crucial to know how your app handles it when performing HTTPS requests.

How Dart’s `HttpClient` Validates Certificates by Default

When you call http.get(...) or use Dart’s HttpClient, Dart automatically performs a standard TLS handshake to ensure the connection is secure:

ClientHello: Your app initiates the handshake by suggesting which protocol versions (e.g., TLS 1.2, TLS 1.3) and cipher suites it supports.
ServerHello & Certificate: The server responds with its chosen protocol and cipher suite, along with its certificate chain.
Validation: Dart’s HttpClient performs the following checks on the server’s certificate:
- Certificate Chain: Dart ensures that the certificate is linked to a trusted root authority in your app’s trust store.
- Expiry Check: Dart checks if the certificate is expired.
- Hostname Matching: Dart ensures that the hostname you requested matches the certificate’s Subject Alternative Name (SAN) or Common Name (CN).
Key Exchange & Encryption: If the certificate passes all checks, Dart and the server exchange session keys and establish an encrypted connection.

The Simple, Secure Call

Under the hood, Flutter’s http package uses IOClient, which delegates to the same HttpClient logic. The simplest, most secure call looks like this:

With this setup, you don’t need any additional code to validate certificates. Just use https:// for secure communication and ensure you don’t disable certificate validation callbacks.

Understanding `SecurityContext` in Dart

In Dart, is used to configure SSL/TLS settings when establishing a secure connection, such as for HTTPS requests. It’s an essential part of managing certificates and enforcing security protocols.Let’s break it down step-by-step:A object stores and manages the certificates and keys used for secure communication (like HTTPS or gRPC) in your Dart server or client.It can:

Store certificates to validate servers (e.g., SSL/TLS certificates).
Store a private key for your server when acting as a server.
Control which TLS protocols to use (like enforcing TLS 1.3).
Manage certificate pinning to ensure only specific certificates or public keys are trusted.

You can create and configure a SecurityContext in Dart to use it with an HttpClient or HttpServer when making or accepting HTTPS requests.For example, here’s how you load a certificate chain and a private key into a SecurityContext:

useCertificateChain: Loads the certificate chain from a file (in PEM format). The certificate chain can include the server's certificate and any intermediate certificates up to a trusted root certificate.
usePrivateKey: Loads the private key used for the server's certificate. This key is crucial for secure communication, as it enables the server to prove its identity.

💡 Tip: For local development, you may use self-signed certificates for testing. Just ensure the server trusts them by adding client.badCertificateCallback or using an assert() for dev-mode certificates.

Why SecurityContext Matters

In production, you should never disable certificate verification. Doing so opens the door to severe security risks, such as man-in-the-middle (MITM) attacks, where an attacker could intercept and modify your traffic.SecurityContext provides a secure, flexible, and powerful way to manage SSL/TLS connections in Dart. By configuring it properly, you ensure your app can securely connect to remote servers while avoiding common pitfalls.

Enforcing TLS Versions

You can enforce the use of specific TLS versions (e.g., TLS 1.3) by configuring the SecurityContext. This is useful to make sure your app only uses the most secure and up-to-date protocols.

You can also define ALPN (Application-Layer Protocol Negotiation) to ensure certain protocols are used, like HTTP/2:

This ensures that your app negotiates the best available protocol for secure communication.

Safe Dev-Mode Overrides for Self-Signed Certificates

During development, you may need to connect to a local server with a self-signed certificate (common for testing). Instead of disabling validation globally (which is dangerous), you can apply a scoped override that only activates for your local development server and only in debug builds.Here’s how you can safely trust your local dev server during testing:

The assert() ensures that this override only happens in debug mode (i.e., during development). The override will be stripped out in release builds, preventing any accidental trust issues.
client.badCertificateCallback allows your app to trust the server, even if the certificate is self-signed, but only if the host is 10.0.2.2 (the default for local development in Android emulators).

Why “Trust-All” Is a Recipe for Disaster

It might seem tempting to fix the CERTIFICATE_VERIFY_FAILED error by blindly accepting all certificates, like so:

However, this is extremely dangerous. What you’ve just done is disable all certificate validation. This effectively turns HTTPS into plain HTTP, leaving your app wide open to man-in-the-middle (MITM) attacks. Any attacker could present a fake certificate, and your app would blindly trust it.It’s like leaving your front door wide open and assuming no one will walk in. You won’t see the attacker coming, and they can capture everything you send or receive.

Certificate Pinning

Certificate pinning adds an extra layer of security to your app by hard-wiring trust. Instead of relying on the OS trust store to validate certificates, pinning ensures that your app only trusts the specific certificate or public key it was shipped with.

This makes it much harder for attackers to intercept or manipulate traffic, even if they manage to install a rogue certificate authority (CA) on the device.

Why and When to Use Certificate Pinning

Extra Security Layer: Pinning ensures that your app will only trust a specific certificate or public key for a particular domain.
When to Use: Pinning is essential for apps that handle sensitive data, like those in finance, healthcare, or any domain that makes your app a target.
Downsides: Pinning requires operational overhead. You need to rotate pins before the certificate changes, or users will lose connectivity. Always ship a backup pin to survive certificate renewals.
When Not to Use: Pinning isn’t required for every app, especially if the server’s certificate is expected to remain stable and not change often. But it’s a strong defensive measure if you need to minimize risk.

Check out Talsec's premium !

Why should you choose Dynamic TLS Pinning over the static certificate pinning?

Implementation of certificate pinning will usually use certificates hard-coded in applications. This approach will enforce both the rebuild of an application and the update for users when the hardcoded certificate is about to expire or is revoked. In applications that are pinning multiple certificates, this enforcement may occur too often.

Export the Server Certificate and SPKI Fingerprint

The first step in pinning is obtaining the certificate or public key you’ll pin to. You can extract the server’s certificate and its SPKI fingerprint using OpenSSL.

Dump the server's certificate (replace api.yourdomain.com with your target domain):

Generate the SPKI hash (the public key’s SHA-256 hash):

Save the Base64 hash: This is the SPKI fingerprint you’ll pin.

Manual Pinning with SecurityContext

Once you have the certificate or SPKI hash, you can manually configure your app to only trust this certificate.

Add server_cert.pem to your assets and declare it in pubspec.yaml:

Create a pinned HttpClient that uses your certificate:

setTrustedCertificatesBytes() ensures only the certificates you’ve added are trusted.
badCertificateCallback is used to reject any certificate not in the pinned certificate list.

Pinning by Fingerprint in a Callback

If you prefer to pin using the SPKI fingerprint instead of the full certificate, you can use the certificate’s hash directly in the badCertificateCallback.

This approach avoids storing the full certificate and directly compares the certificate's hash against the expected value.
Wrap the HttpClient in IOClient and use it with the http package just like before.

Using http_certificate_pinning for Less Boilerplate

If you want to simplify the pinning process, you can use the package, which reduces the amount of boilerplate code needed.

This package abstracts away much of the manual setup and makes pinning easier to implement.

Rotation Strategy and Gotchas

Ship at least two pins: Always have both the current and next certificate pinned, so you can smoothly rotate certificates.
Schedule renewals: Coordinate with your backend dev-ops to ensure the new certificate is live before the old one expires. Test failure scenarios by pointing your app to a server with an unpinned certificate to make sure it refuses to connect.
Obfuscate your pins if you’re worried about reverse engineering, but remember that an attacker with full device control can still bypass pinning. Pinning raises the bar, but it’s not a bulletproof shield.
Proactively rotate pins: Set up calendar reminders or CI/CD hooks to rotate pins before they expire.

With certificate pinning in place, your app will refuse to connect to impostor servers, even if they present a seemingly valid certificate. Pinning ensures that only the expected certificate or public key is trusted, adding defense in depth to your app’s security.

Securing Real‑Time Channels (WebSockets)

When your app needs instant updates—whether it's for chat, live dashboards, payments, or presence data—you’ll likely use WebSockets. They keep the connection alive and feel magical for real-time interactions. But don’t forget: ws:// is unencrypted and sends everything in plain text.Short take: Treat WebSockets exactly like HTTPS requests—TLS is mandatory, pinning and validation carry over, and never silently fall back to an insecure URL.

ws:// vs wss://

ws://: WebSockets over plain HTTP—insecure, unencrypted, and prone to MITM (Man-In-The-Middle) attacks. Anyone on the same network can read or inject data.
wss://: WebSockets over TLS—secure, encrypted, and ensures server identity and data integrity, just like HTTPS.

When working with real-time traffic, remember: it’s as sensitive as REST traffic. Always use wss://, especially when transmitting sensitive data (chat, payments, user info). Never send sensitive data via ws://.

Secure WebSocket Client in Flutter (No Extra Packages)

The web_socket_channel package, part of the Flutter standard toolbox, supports WebSocket connections and allows you to pass a custom HttpClient—so you can reuse the pinning logic from Section 5.Here’s how you can create a secure WebSocket connection with certificate pinning:

Key Rules for WebSocket Security

Never deploy ws://—always use wss:// for production. Strip out any ws:// references in your release configurations.
If the server uses a self-signed certificate in staging, ensure it’s only trusted during debug builds. Production must fail closed if the certificate is invalid.
Treat handshake failures as fatal—don’t auto-retry insecure WebSocket connections. Never fall back to ws://.
Apply the same timeout and retry backoff logic you use for REST API calls. Just because the WebSocket is open doesn’t mean it’s healthy.

Backend Setup with Dart (dart_frog or shelf)

If you’ve followed Section 3 and your backend already serves HTTPS with a valid certificate, WebSocket connections inherit the same secure setup. Here’s how to handle WebSocket upgrade requests in a Dart server (using shelf or dart_frog):

As long as the listener runs on port 443 and is using the proper SSL/TLS certificate, the WebSocket will automatically use wss://.

Testing the Failure Mode

To ensure everything works securely, test the failure mode:

Install mitmproxy on a test device and install its root certificate.
Modify your app’s config to point at https://realtime.yourdomain.com.
If your WebSocket pinning is set up correctly, the connection should fail with a handshake error when the invalid certificate is presented.
Your app should show a user-friendly error like “Secure connection failed”. Never allow it to silently downgrade to an insecure connection.

With secure WebSocket connections (wss://), your app can safely transmit real-time data just as it does with HTTPS. Pinning certificates and ensuring strong validation reduces the risk of MITM attacks and ensures data integrity.

Protecting Data Inside the Tunnel

While TLS ensures that your data is protected in transit, you still need to be mindful of where you store sensitive information in your app, and how it is handled on the device. Storing secrets in the wrong place or accidentally logging sensitive data can undermine your security. Let’s break down best practices for safe payload design, secure storage, and leak-free logging.

Keep Secrets out of URLs

Never put sensitive data (like tokens) in URLs. Query strings are easily logged in proxies, crash reports, or even screenshots. The following is a bad example:

Instead, use headers or JSON bodies to transmit sensitive data:

Tokens or credentials in URLs can easily be captured by intermediate services, proxies, or even browser history.

Check out Talsec's ultimate solution for secure communication between app and backend:

Explicit Headers and JSON Bodies

Always:

Set Content-Type: application/json when sending JSON data.
Convert maps to JSON using jsonEncode (never concatenate strings).
Capture response.statusCode and handle errors like 401/403 properly by failing closed instead of silently retrying.

This ensures your app handles errors in a predictable and secure manner, rather than accidentally exposing sensitive data.

Secure Storage on Device

I have written a lot about this in But let's have a quick review here too.Avoid using insecure storage solutions like SharedPreferences for sensitive data. SharedPreferences stores data in plaintext, making it vulnerable to extraction. Instead, use the OS key-store via flutter_secure_storage for secure data storage.

When to wipe tokens: If the device is rooted, the token could still be extracted from memory. Wipe the token on every "app background" event and rely on refresh tokens to quickly obtain a new one.
Don’t store tokens in memory or static variables between sessions. Always reload tokens securely from encrypted storage when needed.

Log and Analytics Hygiene

Sensitive data can easily leak through logs. A stray print(response.body) or verbose logging left in production code is an open invitation for a data leak. Here’s how to keep your logging secure:

Remove verbose logging in production using flags like --dart-define=FLUTTER_WEB_LOGS=false or wrap logs inside assert(() { … }()) for development-only logging.
Redact sensitive data in crash reporting services (e.g., Crashlytics, Sentry). Configure hooks to automatically redact tokens, emails, GPS coordinates, or anything personally identifying.

Application-Level Encryption (When TLS Isn’t Enough)

In certain scenarios, especially when regulations or threat models demand that data remain unreadable even on a compromised transport layer, you may want to encrypt the payload itself, in addition to relying on TLS.Here’s an example using the encrypt package for AES encryption:

Share the encryption key securely with your backend. You can use asymmetric encryption to securely exchange keys (public/private key pairs) or share the key out of band.
Use different encryption keys for each user/session, and ensure key rotation occurs regularly.
Avoid hardcoding encryption keys directly in the app binary; store them securely.

Platform‑Level Enforcement & HSTS

Even flawless code can be sabotaged by a stray manifest flag or a forgotten server redirect. Lock the doors at the OS and server layers so your app physically cannot talk over cleartext.

Android — Block Cleartext Everywhere

Recent Android versions disable HTTP by default, but one debug tweak can switch it back on. Add a network‑security config that allows only the domains you own, and only over TLS.res/xml/network_security_config.xml

Point your <application> tag at this file:android:networkSecurityConfig="@xml/network_security_config"Ship a release build, hit any http:// URL, and watch it fail fast—exactly what you want.

iOS — Tighten App Transport Security

iOS’s ATS already blocks cleartext. Make sure no earlier testing flag sneaks into production.ios/Runner/Info.plist snippet

Build a release IPA and run curl inside the app’s WebView or via http.get; it should error instantly.

Server — Tell Browsers “You’re TLS‑Only”

Preloading HSTS ensures even first-time users never hit your API over HTTP. Add the HTTP Strict Transport Security header so any compliant client refuses to downgrade.Nginx example

max-age: one year in seconds
includeSubDomains: catch everything, even
preload: after seven clean days submit to so all browsers hard‑code HTTPS for you.

Testing, Monitoring & Resilience

Building defenses is only half the game; now we prove they work and keep working.

Automated CI Scans

Spin up OWASP ZAP or Burp Scanner in Docker each pull‑request.

Fail the build on any medium‑ or high‑risk finding.

If you own Burp Enterprise, call its REST API the same way; block merges when new TLS or mixed‑content issues appear.

MITM Simulation on Real Devices

Mitmproxy: start a local proxy, install its root cert on emulator, route traffic through 127.0.0.1:8080.Expected results:

Any http:// request should fail instantly (platform block).
A pinned https:// request should fail handshake because the proxy cert isn’t pinned.
Debug‑only overrides (localhost, self‑signed) should still work.

Frida script (advanced): hook dart:io’s _HttpClient and attempt to replace badCertificateCallback. Your pinning logic should continue to reject the injected cert, proving an on‑device attacker can’t bypass it without heavy lifting.

Timeouts, Retries, Fail‑Closed

Never loop forever on a broken TLS handshake; instead:

If you still can’t connect, surface an error like “Secure connection failed—check Wi‑Fi or VPN” and refuse to downgrade.

Production Monitoring

Ingest mobile TLS failures into your backend logs (status code 0 or handshake exception). A sudden spike may mean your cert expired or a captive portal is blocking traffic.
Monitor pin‑mismatch events separately; if they rise, someone might be MITM‑ing users or your cert rotation went sideways.
Set up an uptime robot that curls your API over HTTP every hour; it must receive a 301/308 redirect or a 403 block. Alert if it ever gets a 200 OK—that means someone accidentally re‑enabled plaintext.

Disaster Drills

Once per quarter flip staging to an invalid certificate and run the app end‑to‑end:

Does the UI show a clear, user‑friendly error?
Does it refrain from retrying in the clear?
Can you ship a hotfix pin update quickly if needed?
For bonus points, automate pin mismatch simulation in CI using mocked certs or a TLS-intercepting proxy.

When these drills are boring, you’ve done it right: your pipeline, runtime checks, and human processes all treat insecure communication as an outage, not a warning.Next we’ll add final hardening for compromised devices with runtime detection.

Advanced Runtime Protections

Even with TLS, pinning, and platform blocks in place, everything collapses if the app runs on a rooted phone, inside an emulator, or under a live debugger. At that point an attacker can dump memory, switch off pinning at runtime, or extract tokens directly from disk. To close that last gap I add one more guardrail: on‑device tamper detection (, , and more) that shuts down sensitive flows the moment something looks wrong.

Why runtime protections matter

Root / jailbreak removes the OS sandbox; malware can read secure storage or inject hooks into Dart’s TLS stack.
Emulators invite dynamic instrumentation—think Frida scripts that patch badCertificateCallback to always return true.
Repackaged APKs can disable pinning, add spyware, then re‑sign the bundle and trick users into installing it.
Debuggers allow step‑through inspection of memory, exposing encryption keys and personal data.

One detection library will not beat every attacker, but it raises the cost so high that most move on to softer targets.

Integrating FreeRASP step by step

Add the dependency to pubspec.yaml

Bootstrap as early as possible—before you fetch tokens or open sockets.

Choosing the right response

High‑risk flows (payments, health‑records)

Immediately erase secrets, close sockets, and exit or force re‑authentication.

Medium‑risk flows (chat, productivity)

Switch to read‑only mode, warn the user, and log the incident.

Audit trail

Post a lightweight event (device hash, event type, UTC timestamp) so your SOC can spot trends and decide if a user or region is under attack.

Testing your defense

Rooted emulator: launch the app; _react should fire and secrets must be wiped.
For extra protection, send anonymized metrics to your SOC or backend security dashboard for analysis.
Frida attach: run frida -U -f com.example.app; debugger detection should trigger.
Repackaged APK: decompile with Apktool, rebuild, reinstall; app should refuse to run.
False‑positive check: release build on clean hardware—no callbacks should trigger.

Conclusion & What’s Next

We started this journey in a bustling café, watching an attacker try to intercept our traffic as we sent our "postcard." Ten sections later, our once-vulnerable postcard has transformed into an armored van: HTTPS everywhere, strict certificate validation, pinning for sensitive use cases, secure WebSockets, airtight payload handling, platform policies that block cleartext, automated scans, hands-on MITM drills, and FreeRASP standing guard on compromised devices.

Handle App Security with a Single Solution! Check out Talsec's premium offer:

Key Takeaways:

Encrypt every byte in transit: No http://, no ws://. Always use https:// and wss:// for security.
Trust, but verify: Let Dart’s HttpClient handle certificate validation; only implement pinning when you’re ready to manage the rotation playbook.
Keep secrets secure: Never store sensitive information in URLs, logs, or plain preferences. Use flutter_secure_storage for safe storage.
Test your app like it's in production: Break the build on TLS regressions, and fail loudly on handshake errors.
Assume hostile devices: Implement runtime checks like to halt sensitive flows at the first sign of tampering.

With these layers of defense in place, if one layer slips, the others catch it. This defense-in-depth approach is at the heart of OWASP M5 for Flutter and Dart developers.

Up next

In Part Six, we move from securing the wire to securing the binary: Reverse Engineering & Code Protection (M6). We'll crack open a Flutter APK/IPA, show how attackers decompile Dart, inject method swizzles, and siphon hard-coded keys. Then, we’ll teach you how to harden your build so they leave empty-handed.See you there!

AppSec articles

Introduction

Featured AppSec Collections

Latest Articles

articles

freeRASP for Unity Guide

🔐 Level Up Your Game’s Security with freeRASP for Unity

🎮 Designed with Unity Devs in Mind

⚙️ Easy Integration, Powerful Protection

🚀 Why It Matters for Game Developers

💡 Ready to Fortify Your Game?

ApkSignatureKiller: How It Works and How Talsec Protects Your Apps

Introduction

How does the Android signature verification work?

1. Signing

2. Verification

Vulnerabilities related to Android Signatures

The ApkSignatureKiller

Working of ApkSignatureKiller

Why is it so crucial ?

How to prevent tampering attacks with Talsec RASP+? [2 Months Free Trial!]

AI Device Risk Summary Demo | Threat Protection | Risk Scoring | Malware Detection | Android & iOS

Revolutionizing Mobile Security: AI-Powered Device Risk Summary

The Scenario

Step 1: The Initial Purchase Attempt

Step 2: Intelligent Security Check and Risk Assessment

Step 3: AI-Powered Risk Summary and Crystal-Clear Guidance

Step 4: From Threat to Trust

Step 5: A Secure Second Attempt and a Successful Transaction

From Friction to Empowerment

Podcast: iOS Keychain vs Android Keystore

Obfuscation of Mobile Apps

Understanding the Fundamentals of Obfuscation

Deconstructing Obfuscation: Three Key Types

A) Name Obfuscation for Classes, Methods, and Fields

B) String Obfuscation

C) Control-Flow Obfuscation

Talsec's Perspective: A Pragmatic Approach to Obfuscation

Our Stance on Obfuscation Types

The Challenges of Control-Flow Obfuscation

Our Recommendation for Algorithm Protection

Talsec's Commitment to Comprehensive Security

Conclusion

Simple Root Detection: Implementation and verification

Introduction

Rooting: What It Is And How It Affects Mobile Security

Shut the Mouse Hole: Stop Attackers with Root Detection

Common Root Detection Techniques

File-based detection

Process-based detection

Package-based detection

System property-based detection

Static Analysis for Root Traces

Dynamic Detection of Root Access

A Hands-On Demo

Conclusion

Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back

Introduction

What is Frida?

Using Frida

The power of Frida

Bypassing Root checks

Bypassing emulator checks

Bypassing SSL pinning:

Developments in Frida

Frida CodeShare

Tools based on Frida

Runtime Mobile Security tool

Medusa

Objection

freeRASP Protection

Frida detection with freeRASP

Conclusion

Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs

Elevating SDK Stability with Advanced Crash Reporting

Why Crash Tracking Matters

Evaluating the Market: 3rd-Party Crash-Tracking Solutions

The Power of PLCrashReporter

Seamless Integration & Compatibility Insights

Next Steps & Optimization