-
Notifications
You must be signed in to change notification settings - Fork 18
Threat detection
FreeRASP performs several security checks to detect potential threats to the application during its runtime. Each covers a particular attack vector, and users can choose how to respond to the incidents on their own. Users can implement an application to kill itself, send a warning, fetch the incident's details, or ignore it entirely.
To help choose an appropriate response, we briefly explain the available checks. Please note that proper response depends heavily on application security requirements and use cases.
//Root detection on Android
override fun onRootDetected() {
TODO("Not yet implemented")
}
//iOS jailbreaking detection
case jailbreak
//Flutter root and jailbreak detection
onRootDetected: () => print('root') //Android
onJailbreakDetected: () => print('Jailbreak detected') //iOSRooting/jailbreaking is a technique of acquiring privileged control over the operating system of an Android/iOS device. While most users root their devices to overcome the limitations put on the devices by the manufacturers, it also enables those with malicious intent to abuse privileged access and steal sensitive information. Various OS checks are performed to detect a rooted device.
Recommended action: get a warning about rooted device
//Android emulator check
override fun onEmulatorDetected() {
TODO("Not yet implemented")
}
//iOS simulator detection
case simulator
//Flutter checks
onEmulatorDetected: () => print('emulator') //Android
onSimulatorDetected: () => print('simulator') //iOSAttackers may be able to extract an application and run it on an emulator to analyze its execution or to hook it. This method checks the running environment to provide real-time detection of emulators and makes tracing program execution much harder.
Recommended action: get info about the device and kill the application
//Android hook check
override fun onHookDetected() {
TODO("Not yet implemented")
}
//iOS hook detection
case runtimeManipulation
//Flutter detections
onHookDetected: () => print('hook') //Android
onRuntimeManipulationDetected: () => print('Runtime manipulation detected') //iOSHooking is a collection of techniques aimed at modifying the behavior of applications by intercepting function calls, messages, or system events. While hooking has many valid uses, such as debugging, it is often used to insert malicious code and monitor program behavior. freeRASP looks for the well-known hooking frameworks to prevent any hooking attempts.
Recommended action: get info about the device and kill the application
//Android tampering
override fun onTamperDetected() {
TODO("Not yet implemented")
}
//iOS tampering
case signature
//Flutter tamper
onTamperDetected: () => print('tamper') //Android
onSignatureDetected: () => print('signature') //iOSApplications can be easily extracted, altered, and repackaged. We use different checks, including verifying the signing certificate to prevent attackers from removing licenses or protections and simply resigning it.
Recommended action: kill the application
//Android Keystore
override fun onHardwareBackedKeystoreNotAvailableDetected() {
TODO("Not yet implemented")
}
//iOS Secure Enclave
case missingSecureEnclave
//Flutter check
onMissingSecureEnclaveDetected: () => print('Missing secure enclave detected') //iOSThe Secure Enclave and the Android Keystore system make it very difficult to decrypt sensitive data without physical access to the device. In that order, these keys need to be stored securely. FreeRASP checks if the keys reside inside secure hardware.
//Android binding check
override fun onDeviceBindingDetected() {
TODO("Not yet implemented")
}
//iOS binding methods
case deviceChange
case deviceID
//Flutter detection
onDeviceBindingDetected: () => print('Device binding detected') //Android
onDeviceChangeDetected: () => print('Device change detected') //iOS
onDeviceIdDetected: () => print('Device ID detected') //iOSDevice binding is attaching an application instance to a particular mobile device. It's used for user authentication by confirming that a user owns a trusted device. This method detects a transfer of an application instance to another device.
Recommended action: get info about the device
//Android installation check
override fun onUntrustedInstallationSourceDetected() {
TODO("Not yet implemented")
}
//iOS installation check
case unofficialStore
//Flutter detection
onUntrustedInstallationDetected: () => print('Untrusted installation detected') //Android
onUnofficialStoreDetected: () => print('Unofficial store') //iOSUsers can share a copy of the application on unofficial stores or various pirate forums. While some users download these copies to avoid paying for the product, they can include unknown and possibly dangerous modifications. Verifying an official installation consequently protects both the users and the owner.
Recommended action: get info about the device and kill the application
//Android lock check
override fun onUnlockedDeviceDetected() {
TODO("Not yet implemented")
}
//iOS lock check
case passcode
case passcodeChange
//Flutter lock detection
onPasscodeDetected: () => print('Passcode detected') //iOSSaving any sensitive data on a device without a lock makes them more prone to theft. With no user authentification device can be accessed and modified with minimal effort. freeRASP checks if the device is secured with any type of lock.
Recommended action: get info about the unsecured device
//Android debugger detection
override fun onDebuggerDetected() {
TODO("Not yet implemented")
}
//iOS debugger detection
case debugger
//FLutter
onDebuggerDetected: () => print("Debugger detected") //both platformsWhile most developers use debuggers to trace the flow of their program during its execution same tool can be attached to an application in an attempt to reverse engineer, check memory values, and steal confidential information. This method looks for specific flags to determine whether the debugger is active and offers the option to disable it.
Recommended action: get device information and disable the debugger