Developer

Security

CICD

MobSF

MobSF (Mobile Security Framework) is an all-in-one mobile application pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis.

We provide a pipeline template which runs a static analysis using MobSF. The analysis requires a compiled app file to which you will need set the buildPath. Template creates two reports, one in JSON and the other in PDF format. These reports will appear in a directory specified by outputDirectory. To spare you from manually handling the reports we integrated the scan into our build pipeline where it can be turned on/off by setting the runMobSFScan parameter. Reports are added to the build artifact while also creating download links in the Security section of the build's associated Changelog.

Pipeline parameters

  • buildPath - path to your compiled application (find supported formats at MobSF)
    • required - true
    • type - string
    • default - n/a
  • outputDirectory - directory in which mobsf_report.json and mobsf_report.pdf files are created
    • required - false
    • type - string
    • default - $(Build.ArtifactStagingDirectory)/mobsf
  • containerBootTimeout - maximum wait duration MobSF boot
    • required - false
    • type - number
    • default - 120
Examples
# ========== Usage as a stand alone ==============
job:
  ...
  steps:
    ... # create or download a build
    - template: "template/mobsf-scan.yaml"
      parameters:
        buildPath: "path/to/your/build.apk"
        outputDirectory: "output/directory/for/reports/"
# ========== Usage with build pipeline ==============
jobs:
  ...
  - template: "azure/apps/build-android-app.yaml@templates"
    parameters:
      ...
      runMobSFScan: true

SonarQube

  • TBA

Eit Security package

The package offers security features for Flutter mobile apps, integrating freeRASP from Talsec and Screenshot protector. Additionally, it includes various other widgets tailored for security functionality.

Features

freeRasp

freeRASP for Flutter is a mobile in-app protection and security monitoring SDK. It aims to cover the main aspects of RASP (Runtime App Self Protection) and application shielding. The freeRASP is available for Android and iOS.

freeRASP SDK is designed to combat

  • Reverse engineering attempts
  • Re-publishing or tampering with the apps
  • Running application in a compromised OS environment
  • Malware, fraudsters, and cybercriminal activities

Key features are the detection and prevention of

  • Root/Jailbreak (e.g., unc0ver, check1rain)
  • Hooking framework (e.g., Frida, Shadow)
  • Untrusted installation method
  • App/Device (un)binding

For the complete information check freeRASP package.

Screenshot protector

The Screenshot protector is designed to hide data during screenshots, block screenshots entirely, and notify the user if the screen is being recorded.

Other

The package also offers several useful widgets:

  • Lock dialog: A dialog that can only be closed programmatically.
  • Numeric keyboard: A keyboard with the option for shuffled or unshuffled numbers.
  • Obscure code: Displays dots instead of text for obscuring sensitive information.
  • Screen protection: Protects against data leakage or screenshots for a specific screen.
  • Security issue page: Displays security incidents.

Installation

dart pub add eit_security --hosted-url=https://gitea.whitelabel.mobile.embedit.dev/api/packages/platform/pub/

!IMPORTANT You need access token for fetching from private pub repository. ELI add token automatically

Usage

Android setup

To make freeRASP work, the minSdkVersion must be set to 23.

// android/app/build.gradle
android {
...
defaultConfig {
    ...
    minSdkVersion 23
        ...
    }
...
}

To enable data leakage protection, follow the setup instructions provided in this link.

// android/app/build.gradle
dependencies {
    ...
    // add this line
    implementation 'com.github.prongbang:screen-protector:1.0.1'
    
}

import io.flutter.embedding.android.FlutterActivity
import com.prongbang.screenprotect.AndroidScreenProtector

class MainActivity: FlutterActivity() {
    private val screenProtector by lazy { AndroidScreenProtector.newInstance(this) }

    override fun onPause() {
        super.onPause()
        screenProtector.protect()
    }

    override fun onResume() {
        super.onResume()
        screenProtector.unprotect()
    }

    // For Android 12+
    override fun onWindowFocusChanged(hasFocus: Boolean) {
        super.onWindowFocusChanged(hasFocus)
        screenProtector.process(hasFocus.not())
    }
}

Configuration setup

To correctly configure security for your app, initialize it with a configuration that includes relevant app details. Additionally, for security to function properly, Flutter Bindings must be initialized. This can be achieved by calling WidgetsFlutterBinding.ensureInitialized().


void main() {
  ...

  // This line is important!
  WidgetsFlutterBinding.ensureInitialized();

  // Cceate configuration
  final config = SecurityConfig(
    /// Settings of Android app
    androidConfig: AndroidSettings(
      /// The package name of the app
      packageName: 'com.embedit.app',
      /// Base64 encoded SHA-256 hash of the signing certificate
      signingCertHashes: [
        'AKoRu...'
      ],
      /// The list of allowed stores.
      /// GooglePlay - com.android.vending etc.
      /// Samsung Apps - com.sec.android.app.samsungapps
      /// Aptoid  - cm.aptoide.pt
      /// etc..
      supportedStores: ['some.other.store'],
    ),

    /// Settings of iOS app
    ios: IOSSettings(
      /// Bundle IDs of the app
      bundleIds: ['com.embedit.app','com.embedit.app.watch'],
      /// Team ID of the app
      teamId: 'M8AK35...',
    ),
    /// Email for sending reports
    contactMail: 'your_mail@example.com',
    /// dev vs release
    isProd: true,
  );
}

Implementation

To secure your app, wrap it with the EitSecuredApp widget. This widget should be used only once throughout the entire app. Typically, you wrap your MaterialApp widget with EitSecuredApp and configure its properties based on the desired security features.

final navigatorKey = GlobalKey<NavigatorState>();
final RouteObserver<ModalRoute> routeObserver = RouteObserver<ModalRoute>();

final app = EitSecuredApp(
    config: config,
    /// Configuration for the lock screen
    /// If you want to enable the lock screen feature, provide a `LockScreenSettings` instance.
    lockScreen: LockScreenSettings(
        navigatorKey: navigatorKey,
        /// Defines the appearance and behavior of the lock screen.
        builder: (
            BuildContext context,
            VoidCallback closeCallback,
        ) => LockDialog(...),
        /// Specifies the delay before the lock screen appears when the app goes to the background.
        /// Setting this to `Duration.zero` means the lock screen will appear immediately.
        /// If set to `null`, the lock screen will not appear when the app goes to the background.
        backgroundDelayDuration: Duration.zero,
    ),
    security: SecuritySettings(
        /// Whether to start monitoring security incidents automatically when the app starts.
        startAutomatically: true,
        /// Enables or disables data leak protection for the entire app.
        dataLeakProtection: false,
        /// Enables or disables screenshot protection for the entire app.
        screenshotProtection: false,
    ),
    /// Custom callback function that gets triggered when a security incident is detected.
    onIncident: (incident) {},
    /// Error handler for handling exceptions during security operations
    onLog: (exception) {},
    /// Use this if you want to apply ScreenProtection widget to protect specific screens.
    routeObserver: routeObserver,
    child: MaterialApp(
        navigatorKey: navigatorKey,
        navigatorObservers: [routeObserver],
        ...
    ),
);

Further down in the widget tree, you can access EitSecuredAppState by using EitSecuredApp.of(context). EitSecuredAppState provides several useful methods for managing security functionality.

/// Some page managed by EitSecuredApp

@override
Widget build(BuildContext context) {
    final securedApp = EitSecuredApp.of(context);
    /// Show lock screen.
    final showLockScreenResult = await securedApp.showLockScreen();
    /// Enables screenshot protection.
    final enableScreenshotProtectionResult = await securedApp.security.enableScreenshotProtection();
    /// Disables screenshot protection.
    final disableScreenshotProtectionResult = await securedApp.security.disableScreenshotProtection();
    /// Enables data leakage protection.
    final enableLeakageResult = await securedApp.security.enableLeakageProtection();
    /// Disables data leakage protection.
    final disableLeakageResult = await securedApp.security.disableLeakageProtection();
    /// Enables both data leakage and screenshot protection.
    final enableScreenProtectionResult = await securedApp.security.enableScreenProtection();
    /// Disables both data leakage and screenshot protection.
    final disableScreenProtectionResult = await securedApp.security.disableScreenProtection();
    /// Use context to navigate to security issue page.
    context.showIssuePage(incident);
    ...
}

Result

This package aims to create an implemetation of Kotlin's and Swift's Result class and own operators. inspired by Dartz Either function.

Availability

A Flutter plugin to detect the availability of the Google Play Services and Huawei HMS Services API on Android devices. It can also be used to check the device is a Huawei device or not.

Copyright © 2025. All rights reserved.