Majid Hajian
mhadaily
https://www.pixelcrayons.com/blog/mobile-app-statistics/
Identify
Detect
Protect
Respond
Recover
import 'package:flutter/material.dart';
MaterialApp(
ThemeData(
name: "Majid Hajian",
location: "Oslo, Norway",
description: '''
Google Developer Expert
Passionate Software engineer,
Community Leader, Author and international Speaker
''',
main: "Head of DevRel at Invertase.io",
homepage: "https://www.majidhajian.com",
socials: {
twitter: "https://www.twitter.com/mhadaily",
github: "https://www.github.com/mhadaily"
},
author: {
Pluralsight: "www.pluralsight.com/authors/majid-hajian",
Apress: "Progressive Web App with Angular, Book",
PacktPub: "PWA development",
Udemy: "PWA development",
}
founder: "Softiware As (www.Softiware.com)"
devDependencies: {
tea: "Ginger",
mac: "10.14+",
},
community: {
MobileEraConference: "Orginizer",
FlutterVikings: "Orginizer",
FlutterDartOslo: "Orginizer",
GDGOslo: "Co-Orginizer",
DevFestNorway: "Orginizer",
...more
}));
Find me on the internet by
Head of DevRel at Invertase
Open Web Application Security Project
https://owasp.org/Top10/
https://owasp.org/www-project-mobile-top-10/
Web
Mobile
Examples:
Solutions:
Latest Flutter stable
Latest libraries updates
Latest guidelines for publishing apps
Regularly checking security guidelines by flutter team
https://docs.flutter.dev/security
https://pub.dev/packages/permission_handler
if (await Permission.contacts.request().isGranted) {
// Either the permission was already granted before or the user just granted it.
}
// You can request multiple permissions at once.
Map<Permission, PermissionStatus> statuses = await [
Permission.location,
Permission.storage,
].request();
print(statuses[Permission.location]);
Examples:
Solutions:
https://pub.dev/packages/flutter_secure_storage
Flutter Secure Storage provides API to store data in secure storage. Keychain is used in iOS, KeyStore based solution is used in Android.
https://pub.dev/packages/hive
Lightweight and blazing-fast key-value database written in pure Dart and strongly encrypted using AES-256.
https://pub.dev/packages/secure_application
SecureApplication(
onNeedUnlock:
(secure) => print(
'need unlock maybe use biometric
to confirm and
then use sercure.unlock()'),
child: MyApp(),
)
Examples:
Solutions:
https://pub.dev/packages/http_certificate_pinning
Certificate pinning allows mobile applications to restrict communication only to servers with a valid certificate matching the expected value (pin). The connection is terminated immediately if communication is attempted with any server that doesn't match this "expected" value.
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]
// The Result is like:
// '59:58:57:5A:5B:5C:5D:59:58:57:5A:5B:5C:5D:59:58:57:5A:5B:5C:5D:59:58:57:5A:5B:5C:5D:59:58:57:5A:5B:5C:5D'
import 'package:http_certificate_pinning/secure_http_client.dart';
// Uses SecureHttpClient to make requests
SecureHttpClient getClient(List<String> allowedSHAFingerprints){
final secureClient = SecureHttpClient.build(certificateSHA256Fingerprints);
return secureClient;
}
myRepositoryMethod(){
secureClient.get("myurl.com");
}
// Other client - backend
import 'package:http_certificate_pinning/http_certificate_pinning.dart';
Future myCustomImplementation(String url, Map<String,String> headers, List<String> allowedSHAFingerprints) async {
try{
final secure = await HttpCertificatePinning.check(
serverURL: url,
headerHttp: headers,
sha: SHA.SHA256,
allowedSHAFingerprints:allowedSHAFingerprints,
timeout : 50
);
if(secure.contains("CONNECTION_SECURE")){
return true;
}else{
return false;
}
}catch(e){
return false;
}
}
Examples:
Solutions:
https://pub.dev/packages/local_auth
final List<BiometricType> availableBiometrics =
await auth.getAvailableBiometrics();
if (availableBiometrics.isNotEmpty) {
// Some biometrics are enrolled.
}
if (availableBiometrics.contains(BiometricType.strong) ||
availableBiometrics.contains(BiometricType.face)) {
// Specific types of biometrics are available.
// Use checks like this with caution!
}
Examples:
Solutions:
1- AES (Advanced Encryption Standard) Algorithm
2- Fernet Algorithm
3- Salsa Algorithm
& ...
Use of Insecure and/or Deprecated Algorithms
Any data that may expose developer identity needs to be encrypted. Encrypt sensitive files like key.jks & keystore.properties with GPG. Avoid keeping track of unencrypted sensitive data in your repository.
https://pub.dev/packages/encrypt
import 'package:encrypt/encrypt.dart';
void main() {
final plainText = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit';
final key = Key.fromUtf8('my 32 length key................');
final iv = IV.fromLength(16);
final encrypter = Encrypter(AES(key));
final encrypted = encrypter.encrypt(plainText, iv: iv);
final decrypted = encrypter.decrypt(encrypted, iv: iv);
print(decrypted); // Lorem ipsum dolor sit amet, consectetur adipiscing elit
print(encrypted.base64); // R4PxiU3h8YoIRqVowBXm36ZcCeNeZ4s1OvVBTfFlZRdmohQqOpPQqD1YecJeZMAop/hZ4OxqgC1WtwvX/hP9mw==
}
https://pub.dev/packages/crypto
Examples:
Solutions:
Examples:
Solutions:
https://dart.dev/guides/language/effective-dart/design
Examples:
Solutions:
https://pub.dev/packages/flutter_jailbreak_detection
import 'package:flutter_jailbreak_detection/flutter_jailbreak_detection.dart';
bool jailbroken = await FlutterJailbreakDetection.jailbroken;
bool developerMode = await FlutterJailbreakDetection.developerMode; // android only.
Examples:
Solutions:
https://docs.flutter.dev/deployment/obfuscate
flutter build apk --obfuscate --split-debug-info=/project/debuginfo
https://docs.flutter.dev/resources/faq#run-android
Examples:
Solutions:
https://pub.dev/packages/freerasp
@override
void initState() {
// config
callback = TalsecCallback(
// For Android
androidCallback: AndroidCallback(
onRootDetected: () => print('root'),
onEmulatorDetected: () => print('emulator'),
onHookDetected: () => print('hook'),
onTamperDetected: () => print('tamper'),
onDeviceBindingDetected: () => print('device binding'),
onUntrustedInstallationDetected: () => print('untrusted install'),
),
// For iOS
iosCallback: IOSCallback(
onSignatureDetected: () => print('signature'),
onRuntimeManipulationDetected: () => print('runtime manipulation'),
onJailbreakDetected: () => print('jailbreak'),
onPasscodeDetected: () => print('passcode'),
onSimulatorDetected: () => print('simulator'),
onMissingSecureEnclaveDetected: () => print('secure enclave'),
onDeviceChangeDetected: () => print('device change'),
onDeviceIdDetected: () => print('device ID'),
onUnofficialStoreDetected: () => print('unofficial store')),
// Common for both platforms
onDebuggerDetected: () => print('debugger'),
);
}
https://mas.owasp.org/
Majid Hajian
@mhadaily
Slides and link to source code
slides.com/mhadaily
SVG icons credited to undraw.co