🐦Flutter

Example: https://github.com/talsec/Free-RASP-Flutter/tree/master/example

📝 Prerequisites

The freeRASP has the following prerequisites that must be met before starting:

Minimum SDK level: 23 or higher
Gradle version: 8.12.1 or higher
Compile SDK version: 35
Kotlin version: 2.1.0

Did you know Talsec is a big fan of Flutter? 🥳 Check out the great Flutter-first security articles we've prepared together with the community!

Android

Some versions of Flutter projects, by default, support lower levels of minimum SDK or Gradle version.

Update minimum SDK and compile SDK level :

From the root of your project, go to android > app > build.gradle
In defaultConfig, update minSdkVersion property to at least 23 (Android 6.0) or higher.

android/app/build.gradle

android {
    compileSdk 35
    // ... some other declarations ...
    defaultConfig {
        minSdkVersion 23
        // ... some other declarations ...
    }
}

Update Gradle and Kotlin version:

From the root of your project, go to android > settings.gradle
In plugins
- Update version of com.android.application plugin to 8.8.1
- Update version of org.jetbrains.kotlin.android plugin to 2.1.0

android/settings.gradle

plugins {
    id "dev.flutter.flutter-plugin-loader" version "1.0.0"
    id "com.android.application" version "8.8.1" apply false
    id "org.jetbrains.kotlin.android" version "2.1.0" apply false
}

In older projects using imperative approach, the paths may be different:

From the root of your project, go to android > build.gradle
In dependencies , update version of com.android.tools.build:gradle dependecy to 8.8.1

android/build.gradle

dependencies {
    classpath 'com.android.tools.build:gradle:8.8.1'    
    classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
}

Then you also need to update gradle wrapper:

From the root of your project, go to android > gradle> wrapper > gradle-wrapper.properties
In distributionUrl update version to 8.12.1

android/gradle/wrapper/gradle-wrapper.properties

distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-all.zip

Add permissions for checks

Some checks require additional permissions in order to work properly. If your app already has these permissions, you don't need to add them again.

Screenshot and Screen Recording Detection

To detect screenshots and screen recordings , add the following permissions to your AndroidManifest.xml file inside the <manifest> root tag:

<uses-permission android:name="android.permission.DETECT_SCREEN_CAPTURE" />
<uses-permission android:name="android.permission.DETECT_SCREEN_RECORDING" />

Screenshot Detection is supported on Android 14 (API level 34) and higher. Screen Recording Detection is supported on Android 15 (API level 35) and higher.

Location Spoofing Detection

To detect location spoofing, add the following permissions to your AndroidManifest.xml file inside the <manifest> root tag:

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

Unsecure WiFi Detection

To detect unsecure WiFi, add the following permissions to your AndroidManifest.xml file inside the <manifest> root tag:

<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />

Some permissions also require runtime request.

Utilize active protection

To utilize active protection, you can use

await Talsec.instance.blockScreenCapture(enabled: true)

To check whether the screen capture is blocked, you can use:

await Talsec.instance.isScreenCaptureBlocked()

For more details about all these screen capture methods, see Screen Capture.

iOS

Xcode 15 is required to be able to build the application

📦 Install the plugin

Run the following command inside the project directory to add the freeRASP dependency:

flutter pub add freerasp

⚙️ Setup the Configuration for your App

To ensure freeRASP functions correctly, you need to provide the necessary configuration and initialize it. All required values must be filled in for the plugin to operate properly. Detailed descriptions of the configuration options are provided on the API page.

For Android apps, you must get your expected signing certificate hashes in Base64 form. You can go through this manual to learn how to sign your app in more detail, including manual signing and using Google's Play app signing.

In the entry point to your app, import freeRASP and add the following code:

main.dart

import 'package:freerasp/freerasp.dart';

void main() {

  // This line is important!
  WidgetsFlutterBinding.ensureInitialized();

  // create a configuration for freeRASP
  final config = TalsecConfig(
    /// For Android
    androidConfig: AndroidConfig(
      packageName: 'your.package.name',
      signingCertHashes: [
        'mVr/qQLO8DKTwqlL+B1qigl9NoBnbiUs8b4c2Ewcz0k='
      ], // Replace with your release (!) signing certificate hash(es)
      supportedStores: ['com.sec.android.app.samsungapps'],
    ),

    /// For iOS
    iosConfig: IOSConfig(
      bundleIds: ['YOUR_APP_BUNDLE_ID'],
      teamId: 'M8AK35...',
    ),
    watcherMail: '[email protected]', // for Security Reports, Talsec Portal, Updates
    isProd: true,
    killOnBypass: true,
  );
}

It is necessary that Flutter Bindings are initialized. This can be satisfied by calling WidgetsFlutterBinding.ensureInitialized(), as shown in the code snippet above.

isProd is a boolean flag that determines whether the freeRASP integration is in the Dev or Release version. If you want to learn more about isProd, visit this wiki section.

killOnBypass is a boolean flag that enables the freeRASP in-SDK reaction to kill the application if it detects any unwanted manipulation with the callback mechanisms. If you want to learn more about killOnBypass, visit this wiki section.

By providing your watcherMail, you consent to receive security reports, product updates, and other essential communications from Talsec. Learn more about the role of watcherMail.

👷 Handle detected threats

freeRASP executes periodical checks when the application is running. You can handle the detected threats using listeners. For example, you can log the event, show a window to the user or kill the application. See the Threat detection in the wiki to learn more details about the performed checks and their importance for app security.

freeRASP reacts to threats using ThreatCallback. Internally, each threat has its own callback (of VoidCallback type), which is called when a threat is detected.

main.dart

import 'package:freerasp/freerasp.dart';

void main() {

  // Setting up callbacks
  final callback = ThreatCallback(
      : () => print("App integrity"),
      : () => print("Obfuscation issues"),
      : () => print("Debugging"),
      : () => print("Device binding"),
      : () => print("Device ID"),
      : () => print("Hooks"),
      : () => print("Passcode not set"),
      : () => print("Privileged access"),
      : () => print("Secure hardware not available"),
      : () => print("Simulator"),
      : () => print("System VPN"),
      : () => print("Developer mode"),
      : () => print("USB debugging enabled"),
      : () => print("Unofficial store"),
      : () => print("Screenshot"),
      : () => print("Screen recording"),
      : () => print("Multi instance"),
      : () => print("Unsecure wifi"),
      : () => print("Location spoofing"),
      : () => print("Time spoofing"),
      onMalware: (suspiciousApps) => print("Suspicous apps")
  );

  // Attaching listener
  Talsec.instance.attachListener(callback);
}

Optionally, you can implement RaspExecutionStateCallback to listen whether initial checks were done or not:

import 'package:freerasp/freerasp.dart';

void main() {
  // Some other code...
  
  final raspExecutionStateCallback = RaspExecutionStateCallback(
      onAllChecksDone: () => print("All checks done")

  // Attaching listener
  Talsec.instance.attachExecutionStateListener(callback);
}

🛡️ Start freeRASP

Start freeRASP to detect threats just by adding this line below the created config and the callback handler:

void main() async {

  // start freeRASP
  await Talsec.instance.start(config);
}

For the version you’re integrating, you can find the specific dSYMs for debugging in Releases.

🌁 Enable source code obfuscation

In order to provide as much protection as possible, freeRASP enhances security measures by implementing ProGuard consumer rules, which obfuscate specific sections of the SDK. However, these rules are applied to your Android app code as well due to inheritance.

In certain cases, you may prefer to exclude this rule.

To remove the rule, you need to find freerasp in your cache folder. More about where to find the cache folder here. Then navigate to the freerasp-X.Y.Z/android/build.gradle file and delete the line:

consumerProguardFiles 'consumer-rules.pro'

Read more about why obfuscation is important in the wiki.

☢️ (Optionally) Integrate freeMalwareDetection

freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious or suspicious applications (e.g. Android malware) based on various blacklists and security policies.

It helps to detect apps with suspicious package names, hashes, or potentially dangerous permissions.

Visit the freeMalwareDetection repository to learn more about this feature! For the integration, refer to the integration guide for the Flutter platform.

🖥️ Check Talsec Portal

Check out Data Visualisation Portal and register using your watcherMail to see your data. If you integrated the SDK successfully, the application will be present after a few hours. The visualisations will be active later due to the bucketing mechanism.

You have to use the same email for the Portal as you used for the watcherMail parameter.

Last updated 11 days ago