Secure your Flutter Apps with Huawei Safety Detect
Effectively protecting your Flutter Apps against security threats.
Hello everyone,
In todays vulnerable world we need to secure our apps and protect our users from any malicious attemps we are able to detect. Huawei Safety Detect Service is just the right for providing security features to our mobile apps. So in this article we will implement Flutter Huawei Safety Detect Plugin into a Flutter app to enhance it with robust security capabilities.
These security capabilities of the Huawei Safety Detect include:
- SysIntegrity API: Checks whether the device running your app is secure, for example, whether it is rooted.
- AppsCheck API: Obtains a list of malicious apps from the users device.
- URLCheck API: Determines the threat type of a specific URL.
- UserDetect API: Checks whether your app is interacting with a fake user.
- WifiDetect API: Checks whether the Wi-Fi to be connected is secure.
These APIs of Huawei Safety Detect would be very useful for effectively protecting your app against various security threats. So we will implement all these features from the Safety Detect and we will also use the Huawei Cloud APIs in order to validate the output of user detection results.
Function Restrictions
There are some restrictions for the UserDetect and WifiDetect APIs as shown in the table below.
Since the WifiDetect function only works in the Chinese Mainland I did not include in this article but you can find the development guide in this document.
Prerequisites
First of all you will need a Huawei Developer Account to create an app in AppGallery Connect and activate the Safety Detect Service.
Then you can integrate the Huawei Safety Detect Plugin for Flutter to your app by following the documentation below.
After completing these configurations we will be ready to use the APIs in our project. Let’s get things moving.
Note:
The screenshots of the code examples in this article are obtained from the example app of the Flutter Huawei Safety Detect Plugin. I have eliminated a part of the business logic (animations, logging etc.) for the simplicity.
You can check the example app from the link below:
SysIntegrity API
The SysIntegrity API checks whether your user device is rooted, unlocked, or vulnerable, so you can manage the usage of your app. To achieve this securely the API evaluates the system integrity in the secure boot process from the Trusted Execution Environment (TEE) dynamically. API’s check results are highly reliable and the SDK uses the X.509 digital certificate to sign the system integrity check results and transfers the signed JWS-format results to the SysIntegrity API. The signed results cannot be tampered with.
To call the SysIntegrity API we need two arguments: a nonce value and the appId. The nonce value will be contained in the check result in order to determine whether the returned result corresponds to your request and does not encounter replay attacks.
This nonce value must contain at least 16 bytes and can only be used once. It is recommended that the nonce value be derived from data sent to your server. For example, you can use the user name and the current timestamp as the nonce value. In this example the Random.secure() from the dart:math library is used for the nonce generation.
After obtaining a Random instance from the Random.secure() method we can generate cryptographically secure source of random numbers with the code below.
After generating the nonce value, we can pass the appId along with the nonce to the SafetyDetect.sysIntegrity method and parse the base64URL encoded result. You can obtain your app’s id from the AppGallery Connect, the agconnect-services.json file or by calling the SafetyDetect.getAppID method. Here is the complete code piece:
We can see the integrity check result from the basic integrity field.
AppsCheck API
The AppsCheck API flags a list of malicious apps installed on your user’s device. You can obtain a list of malicious apps and evaluate whether to restrict your app’s behavior based on risks (of risky apps/virus apps).
The API call is very simple. You just need to call the SafetyDetect.getMaliciousAppsList() method and assign the result to a list object. The list would contain MaliciousAppData instances if any malicious apps have found.
URLCheck API
The URLCheck API recognizes potential links to malicious websites and determines the risk type of the url for you to respond appropriately thus makes implementing secure browsing services cheaper.
When a user visits a URL, this API can check whether the URL is a malicious one. If so, you can evaluate the risk and either warn the user of the risk or block the URL.
To call the API we need to pass in three arguments: Url to be checked, App ID and a list of concerned UrlThreatTypes.
In the example app we can enter any url to the text field for running the inspection. A list of UrlCheckThreat objects will be returned after the API call.
UserDetect API
The UserDetect API identifies whether your app is interacting with a fake user or so called bot.
By utilizing UserDetect you can help your app prevent fake user behavior, such as batch registration, credential stuffing attacks, activity bonus hunting, and content crawling.
Fake users can be identified based on the real-time risk analysis engine. The API collects related data in the authorized scope and upload it to the real-time risk analysis engine to check whether the current user is a fake one.
Note
Outside the Chinese mainland, users can be verified based on verification codes. If a user is suspicious or risky, a verification code is sent to the user for secondary verification.
In the Chinese mainland, users cannot be verified based on verification codes. The nocaptcha API on the cloud is used to obtain the user detection result.
The method call of UserDetect is very simple, we just need the pass on appId argument and we can obtain the resulted user token by awaiting the method.
After we obtain the result, we can send a request to the cloud verify API and validate if the resulted user token belongs to a real user. For more details about the cloud API please check Obtaining Fake User Detection Results (Outside the Chinese Mainland).
Note:
If you are in the Chinese Mainland you need to call the nocaptcha endpoint instead of verify. For more information please visit Obtaining Fake User Detection Results (In the Chinese Mainland)
The verify API needs two values in the request body for validating the user, these are accessToken and response from the UserDetect API. In order to obtain the accessToken we need to send a post request to another endpoint from the Huawei Cloud. The request details are as follows.
We will need the app id and app secret from the AppGallery Connect in the request body. In Project Settings > General Information page we can find the corresponding information as pointed out in the picture below.
After we obtain the values we can send a post request along with the values in the body encoded as application/x-www-form-urlencoded. I have used Postman to send the request as shown in the picture below.
After we send the request, we can get the accessToken in the response body.
Now that we have the accessToken and the fake user detection result we can call the verify api to check if the user is a real one. This time we use raw json as the request body and send the post request.
We can check the success field in the response body to confirm that our user is indeed a real one.
Conclusion
We have implemented the security features from the Huawei Safety Detect Plugin for Flutter into our app with ease since most of the hard work is handled by the SDK itself. Now, our app can detect if the user’s device is insecure or contains malicious apps, it can detect potentially harmful URLs and whether we are interacting a bot or a real user.
Congrats if you followed this tutorial till the end and made your app more secure for you and your users.
