Frida and App Integrity detection not working as expected #103
Description
Describe the bug
We have released and configures security with freerasp. But our pentester team investigated that, in the following scenerio, it is not working as expected to catch jailbreak, frida and app integrity check.
To Reproduce
From Mobile App Side
- Create App Protection Service like following:
class InAppProtectionService {
InAppProtectionService();
Future<void> init() async {
final config = TalsecConfig(
// For Android
isProd: kReleaseMode,
androidConfig: AndroidConfig(
packageName: 'az.azerconnect.inside',
signingCertHashes: [
'base64 from sha256 from Google Play Console',
],
),
// For iOS
iosConfig: IOSConfig(
bundleIds: ['az.azerconnect.inside'],
teamId: 'Team ID from App Store Connect',
),
// Common email for Alerts and Reports
watcherMail: 'any email',
);
final callback = ThreatCallback(
onAppIntegrity: () => exit(0),
onDebug: () => exit(0),
onPrivilegedAccess: () => exit(0),
onSimulator: () => exit(0),
onUnofficialStore: () => exit(0),
onHooks: () => exit(0),
);
Talsec.instance.attachListener(callback);
await Talsec.instance.start(config);
}
}
- Start it in the main.dart file:
runZonedGuarded<Future<void>>(
() async {
WidgetsFlutterBinding.ensureInitialized();
final appProtectionService = InAppProtectionService();
await appProtectionService.init();
/// initializes [Firebase] for application
await Firebase.initializeApp(
options: DefaultFirebaseOptions.currentPlatform,
);
await AppStartupWrapper.initialize(environment, overrides);
},
(error, stack) async {
return FirebaseCrashlytics.instance.recordError(
error,
stack,
fatal: true,
);
},
);- build.gradle file if it is interested:
- Build app for android with the following command:
flutter build apk --obfuscate --split-debug-info=obfuscate/symbols --build-name=1.14.1 --build-number=60
From Pentest Side
- Download the app from Play Store (1.14.1)
https://play.google.com/store/apps/details?id=az.azerconnect.inside
- Use “reflutter” tool to modify APK. In order to monitor the app traffic, select first option and enter your Burp Suite IP.
reflutter app.apk
- Sign modified APK with “uber-apk-signer” tool.
java -jar uber-apk-signer-1.2.1.jar --apks inside_modified.apk
- Install signed APK to the device.
adb install inside_modified-aligned-debugSigned.apk
- When the app is launched, it will crash instantly. To prevent that use following Frida script.
Java.perform(function() {
let C7508g = Java.use("s1.g"); C7508g["$init"].implementation = function(z, z2, z3) {
console.log(`C7508g.$init is called: z=${z}, z2=${z2}, z3=${z3}`);
this["$init"](true, false, false); };
});- Run the app using Frida script.
- App will be launched successfully. Tap the “Skip” button.
- Enter an email and a password.
- Login request will be captured successfully.
Expected behavior
After all these processes, it should detect if app:
- runs on simulator, emulator, rooted device or not
- if it is hooked with Frida
- if this app is installed from Play Store or not (integrity check)
Please complete the following information:
- OS version: Android 11
- Version of freeRASP: 6.4.0
** Tools Used:**
- Reflutter 0.7.7
- Frida 15.2.2
- Uber APK Signer 1.2.1
- Burp Suite v2023.12.1.5
- Genymotion 3.6.0