Flutter FreeRasp Callback choice

Question

I've made a research on OS, YouTube and GitHub. I followed the steps described on https://pub.dev/packages/freerasp and everything seems to be working fine. The question is, should I use the ThreatCallback or the TalsecCallback? Each callback checks for not the same things exactly.

As a side note, an easier way to get your hash, if you cannot run the Gradle Task is: Go to your Google Play Console > View App > Setup > App Signing > App Signing Key Certificate > SHA 256. Then use https://base64.guru/converter/encode/hex as suggested.

    void main() async {
           WidgetsFlutterBinding.ensureInitialized();

        // create configuration for freeRASP
        final config = TalsecConfig(
        /// For Android
        androidConfig: AndroidConfig(
            packageName: 'com.tada.tadaaa',
            signingCertHashes: ['dslkhfsdakjhfkjdshfkdshkfdsh'],
            supportedStores: ['adb', 'com.sec.android.app.samsungapps'],
        ),

        /// For iOS
        iosConfig: IOSConfig(
            bundleIds: ['com.tada.tadAAAA'],
            teamId: 'fsdjhgfksjdhgj',
        ),

        watcherMail: '[email protected]',

        isProd: false,
     );

     // Setting up callbacks
     final callback = ThreatCallback(
         onAppIntegrity: () => print("App integrity"),
         onObfuscationIssues: () => print("Obfuscation issues"),
         onDebug: () => print("Debugging"),
         onDeviceBinding: () => print("Device binding"),
         onDeviceID: () => print("Device ID"),
         onHooks: () => print("Hooks"),
         onPasscode: () => print("Passcode not set"),
         onPrivilegedAccess: () => print("Privileged access"),
         onSecureHardwareNotAvailable: () => print("Secure hardware not available"),
         onSimulator: () => print("Simulator"),
         onUnofficialStore: () => print("Unofficial store"));

         // Attaching listener
         Talsec.instance.attachListener(callback);

         await Talsec.instance.start(config);

         ...

         runApp(const App());
    }

jailbreak detection for example is available on one callback but it is not on the other.

Answer 1

Addressing the concerns.

If you're using a version older than 5.0.0 use the TalsecCallback. As of now, if you're using a version 5.0.0 or newer you should preferably use the ThreatCallback callback as exemplified here https://github.com/talsec/Free-RASP-Flutter/blob/master/example/lib/threat_notifier.dart.

The jailbreak threat is now handled by "onPrivilegedAccess".

Instead of printing out those error messages a better approach could be:

bool threatDetected = false;

void main() async {

    WidgetsFlutterBinding.ensureInitialized();
    final config = TalsecConfig(
        androidConfig: AndroidConfig(
          packageName: 'net.xyz',
          signingCertHashes: ['hashhash'],
          supportedStores: ['adb', 'com.sec.android.app.samsungapps'],
          //supportedStores: ['com.sec.android.app.samsungapps'],
        ),
        iosConfig: IOSConfig(
          bundleIds: ['net.xyz'],
          teamId: '123456789',
        ),
        watcherMail: '[email protected]',
        isProd: false,
    );

    final callback = ThreatCallback(
        onAppIntegrity: () => threatDetected = true,
        onObfuscationIssues: () => threatDetected = true,
        onDebug: () => threatDetected = true,
        onDeviceBinding: () => threatDetected = true,
        onDeviceID: () => threatDetected = true,
        onHooks: () => threatDetected = true,
        onPasscode: () => threatDetected = true,
        onPrivilegedAccess: () => threatDetected = true,
        onSecureHardwareNotAvailable: () => threatDetected = true,
        onSimulator: () => threatDetected = true,
        onUnofficialStore: () => threatDetected = true,
    );
    Talsec.instance.attachListener(callback);
    await Talsec.instance.start(config);
    ...
    runApp(const App());
}

...
child: MaterialApp(
    home: threatDetected ? const UnAuthorizedScreen() : const SplashScreen(),
...