Free-RASP-Flutter Security Delay Issue

[jostney]

We have successfully set up the Free-RASP-Flutter library. In our testing, we observed that the onDebug callback is being triggered, which is expected behavior. However, we are facing an issue where this callback is not triggered immediately after the execution of await Talsec.instance.start(talsecConfig);. Instead, it takes almost 1 minute for this callback to be triggered. This 1-minute delay is concerning because it means that malicious users could potentially exploit this window of time to engage in unauthorized activities.

void main() async {
  WidgetsBinding widgetsBinding = WidgetsFlutterBinding.ensureInitialized();
  FlutterNativeSplash.preserve(widgetsBinding: widgetsBinding);
  SystemChrome.setSystemUIOverlayStyle(SystemUiOverlayStyle.dark);

  Talsec.instance.attachListener(talsecCallback);
  await Talsec.instance.start(talsecConfig);
  
  ...
  Other things
  ...
  runApp(OurApp());
}

And configurations

var talseciOS = IOSConfig(bundleIds: ["..."], teamId: '...');
var talsecAndroid = AndroidConfig(packageName: '...', signingCertHashes: ['...']);
var talsecConfig = TalsecConfig(watcherMail: '...', androidConfig: talsecAndroid, iosConfig: talseciOS, isProd: true);
final talsecCallback = ThreatCallback(
  onAppIntegrity: () => router.push(RoutePaths.securityThreat, extra: 'onAppIntegrity'),
  onDebug: () => router.push(RoutePaths.securityThreat, extra: 'onDebug'),
  onSimulator: () => router.push(RoutePaths.securityThreat, extra: 'onSimulator'),
  onUnofficialStore: () => router.push(RoutePaths.securityThreat, extra: 'onUnofficialStore'),
  onPrivilegedAccess: () => router.push(RoutePaths.securityThreat, extra: 'onPrivilegedAccess'),
  onHooks: () => router.push(RoutePaths.securityThreat, extra: 'onHooks'),
  onObfuscationIssues: () => {},
  onDeviceBinding: () {},
  onDeviceID: () => {},
  onPasscode: () => {},
  onSecureHardwareNotAvailable: () => {},
);

[xprikryl2]

Hi @jostney,

This behavior is caused by the priorities of check groups in the freeRASP. The checks are being executed one by one in the background threat, so the debug check group waits for the check groups with higher priority to finish. We'll look at this issue and try to optimize the priorities of critical check groups (like debug) by the next release.

Best regards,
Talsec team

[yustanj]

Hi is there any updates on this, I think it can be critical when attacker have about 5 seconds to hooks. In my case the attacker hook the cipher class so all the credential that has been encrypted can be showed if I access it before runApp.

[SirionRazzer]

Hi @yustanj,

We have prepared a fix that significantly speeds up the execution of checks. It should be included in the next freeRASP release.

Also, I would like to learn more about the attack you experienced. If you would like to share more information privately, please feel free to PM me at tsoukal@talsec.app.

Best Regards,
Tomas

[ribuemsyne]

@SirionRazzer can you confirm the version number for this fix?

[msikyna]

Hello @ribuemsyne ,
it will be included in the next published freeRASP version.

Kind regards,
Talsec team

[talsec-app]

The issue is fixed in freeRASP released in January 2024:

Flutter: https://github.com/talsec/Free-RASP-Flutter/tree/v6.4.0
Cordova: https://github.com/talsec/Free-RASP-Cordova/tree/v6.0.0
Capacitor: https://github.com/talsec/Free-RASP-Capacitor/tree/v1.2.0
React Native: https://github.com/talsec/Free-RASP-ReactNative/tree/v3.6.0
Android: https://github.com/talsec/Free-RASP-Android/tree/v9.0.0

[ribuemsyne]

ok noted

…

On Wed, Jan 17, 2024 at 1:46 PM Talsec ***@***.***> wrote: The issue is fixed in freeRASP released in January 2024: *Flutter*: https://github.com/talsec/Free-RASP-Flutter/tree/v6.4.0 *Cordova*: https://github.com/talsec/Free-RASP-Cordova/tree/v6.0.0 *Capacitor*: https://github.com/talsec/Free-RASP-Capacitor/tree/v1.2.0 *React Native*: https://github.com/talsec/Free-RASP-ReactNative/tree/v3.6.0 *Android*: https://github.com/talsec/Free-RASP-Android/tree/v9.0.0 — Reply to this email directly, view it on GitHub <#90 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDG5PQCWOOCTYS4ZCQOL6G3YO6CFXAVCNFSM6AAAAAA5TODPVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJVGMYDGMJUGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Thanks and Regards, Ribu Royson A, Sr. Software Engineer Emsyne – Muthoot Systems & Technologies Pvt Ltd Lulu Cyber Tower 2 , 11th Floor, Infopark , Kochi www.emsyne.com - +91 9995728766 || 8848605150

-- This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure,dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. The recipient acknowledges that Muthoot Finance Ltd or its subsidiaries and associated companies(collectively "The Muthoot Group"),are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Muthoot Finance Ltd. Before opening any attachments please check them for viruses and defects.Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email. The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment. 

[SirionRazzer]

Referenced on this Wiki page:

https://github.com/talsec/Free-RASP-Community/wiki/Callback-Delay,-Telemetry-Impact,-and-Threat-Scanning-Completion-Status