flutter_security

Description:

flutter security

flutter_security #
A flutter package that aim to take care of your mobile app security side.
hasBundleBeenCompromised #
This feature is available only on iOs.
Main concept here is to check the MD5 of the files inside Frameworks (in the main bundle root) folder against a precompiled json.
This json is made with this script.
My suggestion is to use the crypting feature that uses AES in cbc mode to protect the json.
Workflow
This what I do:

build the app in order to have all the files needed
copy the script inside the .app file just builded.
In this way it can make a file with relative path
launch the script with all the parameters needed (eg. ./msh-darwin-amd64 generate-map --files Frameworks --key some_random_key_phrase)
check if the encrypted.json has been generated inside the .app
use the package as needed eg.

final result = await FlutterSecurity.hasBundleBeenCompromised(
iosSecurityOptions: IosSecurityOptions(
bundleId: 'com.example.flutterSecurityExample',
jsonFileName: 'encrypted.json',
cryptographicKey: 'k4rAN45oL8LxH21wX2nRTDB5o1uYnnrB'),
);
copied to clipboard
Then you can use 'result' as you wish (maybe make the app crash in order to stop attacks in progress)
amITampered #
This feature is a mashup of IOSSecuritySuite
and some stackoverflow helpful posts (that I lost links of) for android implementation.
The anti-tamper feature checks a match between the signature used in the app and the one you send to package as source of truth.
Android
To be able to check for anti tampering on Android you need to provide the SHA-1 of the keystore of your app. If you are in debug mode and you didn't make a keystore, a SHA is assigned to your app. Please check your app level build.gradle.
iOs
To be able to check for anti tampering on iOs you need a little bit more work to be done. As mentioned here you need to provider your bundleId and the hashed value of the mobile.provision (a file contained into .ipa builded file):

Unzip the .ipa
Go into the payload folder, right click on the app, click on Show Package Contents
You should see the Unix executable with my app name (Example, "test" is the name in this case)

Open a terminal and:

otool -l **/path/to/unix/executable**
look for value of offset and size into segname __TEXT
save those two values somewhere
run dd if=test.ipa ibs=1 skip=<offset> count=<size> | shasum -a 256
save the SHA256 and use it in your code