UPDATE 1: You can check more about freeRASP + Flutter in Missing Hero of Flutter World
UPDATE 2: Recommended read Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative
The need for RASP
Unless you are a security expert or developer with a security career dedication the app protection is a challenging task. You might have heard of certificate pinning and data encryption (already solved by many libraries) but there is more beyond those. Year after year, attackers target application-level vulnerabilities out of your plain sight. And you are aware of the fact that a single one breach can ruin your reputation for good.
The increased demand for in-app protection in mobile technologies has spurred the emergence of mobile RASP (Runtime Application Self-Protection) solutions previously known especially from networking applications. The popular root checking library RootBeer dates back to 2015 and other commercial-grade solutions are even older. There are many libraries for Android and iOS which offer various security checks. Sadly, none of them seemed to cover the majority of attack vectors. Moreover there wasn’t one for Flutter. So we decided to change it. The idea of freeRASP was born.
Detect, protect and monitor
Initially, freeRASP contained only the Talsec’s core library performing various checks to ensure the app is properly protected against various kinds of hacking. The library notifies your app if it detects any nasty things. Then you can decide what action should be taken. For example you can kill the app if it is being tampered with. Similarly, you can decide to enable the usage of the emulator if you expect users to run your app on the popular BlueStacks emulator. Once we finished this milestone we were still not satisfied with the result. We realized that we could do more.
We decided to go one step further and equip freeRASP with regular security reports as well. You can detect anyone messing with your app and discover current threats for your app just by checking your email box once a week free of charge. The proper visualization helps you easily interpret detected threats and take action if necessary. Like Crashlytics but for security insights.
How freeRASP protects your app?
freeRASP consists of these protection features:
- Tamper protection
- Repackaging/Cloning protection
- Runtime analysis protection
- Threat alerts & weekly security reports
These protections correspond with a subset of ISO25010 Quality and Risk Management characteristics also known as “CIA” principle:
- Confidentiality: Prevent hacking. Runtime analysis protection helps mitigate some attack vectors.
- Integrity: Prevent the hooking and using the app in an unexpected way.
- Authenticity: The cloning protection. Protect users against using cloned apps.
A word about maturity and GDPR compliance
freeRASP didn’t come out of nowhere. In fact, it is a younger brother of an even more robust RASP solution we have been developing in Talsec. As a result, freeRASP shares many battle-tested features with its older brother. In the end, the maturity of Talsec’s commercial solution has enabled us to focus on a free universal solution available for every mobile app. We believe that every developer should be able to get security under control. From a simple booking app to widely used Bitcoin wallet, every application can benefit from the freeRASP protection.
Legal matters are taken responsibly at Talsec. We adhere to GDPR and respect the privacy of your users. freeRASP doesn’t spy on you, data processed for the purpose of in-app protection doesn’t involve any personal data. You can find out more about GDPR compliance and processed data here.
Summary
The freeRASP gives your application the much needed runtime protection in no time. No, it won’t solve all your problems: deprecated signature algorithms, insecure hash algorithms, stored tokens, strings, obfuscation, certificate pinning, secure storage, screen recording, … These areas are still your responsibility unless you decide to use Talsec’s business plan. However you don’t have to worry about rooting, hooking, repackaging, instance binding, debugging, emulator usage and other types of tampering as freeRASP detects these reliably. Have I mentioned freeRASP supports Flutter as well? OK, go grab your copy now and give it a spin!
LINKS
- main Github repository with general information
- Flutter integration guide
- Android integration guide
- iOS integration guide
written by Tomáš Soukal, Mobile Dev and Security Consultant at Talsec
Example of security report
Example of checks on a rooted device
