Skip to content

FlutterFlow Integration

Jump to bottom
Jaroslav Novotný edited this page Jul 25, 2023 · 8 revisions

This page provides you all necessary information about freeRASP integration for FlutterFlow. Please read it carefully. If you have question, don't hesitate to open an issue.

Implementing freeRASP

In this section, you will implement the imported freeRASP action.

  1. Navigate to the UI Builder.
  2. On the right panel, click on Actions.
  3. In the Action Flow Editor box, click Open.
  4. In the newly opened window, click on On Page Load at the top.
  5. Click Add Action (or + and then Add Action, if you already have an action).
  6. On the left panel, search for the runRASP action.
  7. Select the runRASP action.

ℹ️ In the Set Function Arguments section, you will find the configuration and several "onX" arguments. We will discuss these in the upcoming subsections.

  1. Once you have provided the necessary configuration and callbacks, you can close the Action Flow Editor.

Providing configuration

freeRASP action requires several arguments to be filled to function. Some data are related to specific platform.

💡 If you are developing the application exclusively for one platform, you can omit the configuration part related to the other platform.

If you don't want to provide configuration to unrelated platform, provide empty string:

  1. Click orange button next to Value label
  2. Scroll down to Constants
  3. Click Constant to expand dropdown menu
  4. Select Empty String

watcherMail

watcherMail is an email address designated for receiving security reports. Ensure that the email address follows the strict [email protected] format.

isProd

isProd is a boolean flag that determines whether the freeRASP is in dev or release version.

[Android] packageName

packageName is a unique identifier for your Android application.

You can find packageName value for your application in FlutterFlow settings:

  1. Navigate to Settings and Integrations.
  2. Locate and select App Details.
  3. In the textbox labeled Package Name, you will find the package name associated with your application.

❗️ Do NOT use solutions such as package_info_plus to provide value of package name! Package name has to be hardcoded.

[Android] signingCertHash

signingCertHash is a hash of the certificate of the key which was used to sign the application.

⚠️ Value of hash must be encoded in Base64 form. ⚠️

More about signing hash and how to obtain it: GitHub Wiki Page | Getting Signing Certificate Hash.

[Android] supportedStore (optional)

supportedStore is a third-party app store to which your application is uploaded. By including this store, freeRASP considers it as trusted source.

To add store, you add package name of store to the list.

💡 Google Play store and Huawei AppGallery are supported out of the box. You don't need to add them.

[iOS] bundleId

bundleId is a unique identifier for your iOS application.

More about bundle ID and how to obtain one: FlutterFlow Documentation | App Deployment

[iOS] teamId

teamId is a unique identifier assigned to a development team enrolled in the Apple Developer Program.

You can find your teamId on Apple Developer portal:

  1. Go to the website: https://developer.apple.com/account.
  2. Log in using the account that is used to sign and release your app.
  3. Scroll down to the Membership details section.
  4. Look for the line labeled "Team ID" - the value of your teamId will be displayed there.

Providing callbacks

The freeRASP action offers multiple callbacks. A callback is an Action that gets triggered when a threat is detected.

To implement callback:

  1. Open Action Flow Editor with runRASP action.
  2. Open one of dropdown menus labeled "onX" on the right panel (X for given type of reaction, for example onAppIntegrity)
  3. In the Action Flow Editor box, click on Open.
  4. Implement your reaction.

Dev vs Release version

The Dev version of freeRASP is utilized during the development phase. It serves the purpose of segregating development and production data, as well as disabling certain checks that are not applicable during the development process. These checks include:

  • Emulator usage (onSimulator)
  • Debugging (onDebug)
  • Signing (onAppIntegrity)
  • Unofficial store (onUnofficialStore)

Security Report

The Security Report is a weekly summary describing the application's security state and characteristics of the devices it runs on in a practical and easy-to-understand way.

The report provides a quick overview of the security incidents, their dynamics, app integrity, and reverse engineering attempts. It contains info about the security of devices, such as OS version or the ratio of devices with screen locks and biometrics. Each visualization also comes with a concise explanation.

Example of security report

Limitations

Limited configuration

freeRASP for Flutter allows you to define multiple values for:

  • Signing certificate hash
  • Supported app store
  • Bundle ID

Due to FlutterFlow's limitations, the current implementation of freeRASP for FlutterFlow only allows you to specify a single value for each of these attributes.

Mobile support only

Currently, freeRASP supports only Android and iOS. When running the application in the FlutterFlow web client, freeRASP won't start.

[Android] Minimal SDK level

The minimum required Android SDK level for freeRASP is 23. FlutterFlow applications have a minimum SDK level of 21 by default.

This creates some restrictions:

  • Deploying the application from the FlutterFlow web client is not possible.
  • Downloading the APK from the FlutterFlow web client is not supported.

To overcome these limitations, we recommend following these steps:

  1. Download the code.
  2. Manually raise the SDK level in the build.gradle file to 23.
  3. Deploy application using Google Play Console.

For instructions on how to raise the minimal SDK level, refer to the freeRASP README.md | Android Setup

Subscribe to stay in tune

Clone this wiki locally