Where can I get Flutter App security documentation or best practice? I am nearly ready to publish my app.
I use online (free version) https://www.ostorlab.co/report/ and check the security of my app.
I have a main question above and some more question in below.
How to disable debug mode?
How to disable backup mode?
How to prevent my google map api key in AndroidManifest or similar?
These are the security issue that I am facing.
—————————————————————————————————
High Debug mode enabled
Description
The application is compiled with debug mode allowing attackers to attach a debugger to access sensitive data or perform malicious actions.Attacker can debug the application without access to source code and leverage it to perform malicious actions on behalf ot the user, modify the application behavior or access sensitive data like credentials and session cookies.
Recommendation
Disable debug mode by setting the attribute android:debuggeable to false in the application tag.
References
• DRD10-J Do not relase apps that are debuggable (CERT Secure Coding)
Ex: AndroidManifest:
<activity android:name="com.apptreesoftware.mapview.MapActivity" android:theme="#7F0C0102"> </activity>
<meta-data android:name="com.google.android.maps.v2.API_KEY" android:value=“****************************”></meta-data>
<meta-data android:name="com.google.android.gms.version" android:value="#7F080004"></meta-data>
————————————————————————————
Potentially Backup mode enabled
Description
Android performs by default a full backup of applications including the private files stored on /data partition. The Backup Manager service uploads those data to the user's Google Drive account.
Recommendation
if the application contains sensitive data that you don't want to be restored, you can disable backup mode by setting the attribute android:allowBackup to false in the application tag.
References
• Random Musings on the M Developer Preview: the Ugly (Part Two)
• DRD22. Do not cache sensitive information
————————————————————————————
Potentially Services declared without permissions
Description
service is an application component that can take care of actions to be done in the background, without user interaction. service can also be used to expose functionalities to other applications. This corresponds to calls to Context.bindService() to establish a connection to the service and interact with it.
Unprotected services can be invoked by other applications and potentially access sensitive information or perform privileged actions
Recommendation
service can expose several methods to external componenets. It is possible to define arbitrary permissions for each method using the method checkPermission.
It is also possible to seperate services and restrict access by enforcing permissions in the manifest's tag.
<permission android:name="co.ostorlab.custom_permission" android:label="custom_permission" android:protectionLevel="dangerous"></permission>
<service android:name="co.ostorlab.custom_service" android:permission="co.ostorlab.custom_permission">
<intent-filter>
<action android:name="co.ostorlab.ACTION" />
</intent-filter>
</service>
The service can enforce permissions on individual IPC calls by calling the method checkCallingPermissionbefore executing the implementation of that call.
References
• CWE-280: Improper Handling of Insufficient Permissions or Privileges
• Security Decisions Via Untrusted Inputs (OWASP Mobile Top 10)
• Service (Android Developper Documentation)
Technical details
False Positive
Services definition in AndroidManifest.xml:
<service android:name="com.mobile.niyazibank.MyFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:name="com.mobile.niyazibank.MyFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
<service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
<service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:exported="true" android:name="com.google.firebase.messaging.FirebaseMessagingService">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:exported="true" android:name="com.google.firebase.iid.FirebaseInstanceIdService">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
————————————————————
Important Exported activites, services and broadcast receivers list
Description
List of all exported components in the application. Exported component are accessible to external applications and present an entry point to the application.
Recommendation
This entry is informative, no recommendations applicable.
References
• Content Provider (Android Developper Documentation)
• Activity (Android Developper Documentation)
• Broadcast Receiver (Android Developper Documentation)
• Service (Android Developper Documentation)
Did you upload the release version or the debug version of the apk to check for security?
flutter build --release will generate release version apk
Also, read more here: https://flutter.dev/docs/deployment/android
Ya sure flutter build --release command will make a release version for your app and if you only want to remove the debug banner from the app while testing then
On your MaterialApp set debugShowCheckedModeBanner to false.
MaterialApp(
debugShowCheckedModeBanner: false
)
The debug banner will also automatically be removed on release build.
I am getting this error on installing and launching the app, but it does not effect working of my app. But still why am I getting this :
Error:screenSize" />
I was getting the same error but project run successfully
the problem occurred whenever I collapse tag
for example
<activity
android:name=".DetailActivity"
android:configChanges="keyboardHidden|screenSize|orientation" />
then i did like this
<activity
android:name=".DetailActivity"
android:configChanges="keyboardHidden|screenSize|orientation"></activity>
now error disappears and Android Studio gives me warning "XML tag has empty body"
No exact solution found
Tested on
Android Studio 3.0.1
In my case above solution didn't worked , so i debugged a bit and found out that facebook SDK didn't mention about any manifest changes in their documentation , but somewhere i found this on blog
Solution
Add/update below code in your manifest( if using Facebook Ads SDK ):
<activity
android:name="com.facebook.ads.AudienceNetworkActivity"
android:configChanges="keyboardHidden|orientation|screenSize" />
Apparently the conclusion is you maybe missing activity declaration in manifest of some sorts, Hope this post will help someone in future.
Tip:
Open your Manifest and switch to merged manifest tab and recheck it that it is merged okay
In Visual studio, Solution->Web.Project->Properties->Web, I have changed my Project Url from http://localhost:51123/ to http://localhost:51123/NewProjectName and I keep getting this error:
"Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to ...." on every module added.
Adding a remove tag works but then it should have been a problem even before i changed the url. Any suggestions?
I think IIS Express probably has 2 <application>-blocks and both will be pointing to the same physicalPath.
Go to the IIS Express config file in: My Documents\IISExpress\config\applicationhost.config
Search for NewProjectName
Change the physicalPath for the root application to something else. Point it to an empty folder.
Should look something like this:
<site name="NewProjectName" id="1">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\Temp" />
</application>
<application path="/NewProjectName" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\sourcecode\NewProjectName" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:51123:localhost" />
</bindings>
</site>
Also, ensure you don't have a duplicate web.config file in one of the parent folders (eg: a web.config backup file). That was the issue with mine!
I started randomly getting this error. I noticed that the iis express had two sites.
This double layer is causing IIS to read the web.config from the first site and second at \WFM, therefore finding duplicates. I just stopped all the sites and removed the \WFM from my web project path. However you could go clear the files and folders from your temp file in IIS express. In my case I had multiple versions of the solution and one solution's project\user config had an extra path in the web project URL. VS 2015 added it, or someone checked in their own user config to TFS. Hope this helps others.
All web.config files work off multiple cascading levels of inheritance at the machine, IIS, project, and folder level locations, with each providing a higher degree of specificity.
If you're getting this error, it means you've either:
Added the same key twice in the same file (unlikely since you would've seen it)
The same key already exists in a separate file higher up the inheritance chain
There can be a lot of different root causes for #2, but if you want to side step them, you can just remove any previous declarations and then re-add your own at that level (I'd pay good money for an upsert feature).
So just add <remove> tags like this for any offending elements:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="ErrorLog" />
<remove name="ErrorMail" />
<remove name="ErrorFilter" />
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
</system.webServer>
If you create an IIS website with the physical path the same as the project folder, and then use it create a virtual folder for the project, you are going to see this issue.
Your Web.config file is being loaded twice.
Instead as orjanto pointed out, create an empty folder and point the IIS website to it and then use it to create a virtual folder from Visual Studio.
I had the same problem. It turned out that I had a different project that uses IISExpress with the same port number. Once I changed the project to use a different port number, the error went away.
What worked for me. I deleted the {projectFolderParent}/.vs/config (you have to "show hidden folders/files)
After deleting that, I restarted my computer.
My Project Url in Web tab inside project properties pointed to wrong url and I was not able to change it ("Would you like to create Virtual Directory?" and VS was locked in a loop (Yes -> Unable to create, No -> Operation Canceled) until I manually reverted Url to the (incorrect) state it was before. The solution was to run VS as Admin. I was able to change that url and everything started to work. Hope it helps!
You may find that after upgrading to the latest windows 10 service pack June 2017, this issue is because certain nodes seem to now appear under the root config (machine.config). I removed my duplicates from web.config and it all worked again.
I had a problem of same type. Running my site published on IIS, the same error was shown.
I saw a web.config file in the wwwroot folder (out of application folder).
I removed this file and the application ran OK.
Look for a web.config file placed in a wrong folder (above your folder application).
Good luck!
The answer that #orjanto posted solved the problem for me, but I had an additional problem on top of that. After fixing, Internet Explorer still thought that my HTML page was a directory instead of a file.
I had duplicates in my IIS Express config file:
<site name="MyAPI" id="56">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\source\repos\MyAPI" />
</application>
<application path="/login.html" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\source\repos\MyAPI" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:57018:localhost" />
<binding protocol="https" bindingInformation="*:44302:localhost" />
</bindings>
</site>
Note the path="/login.html" in the second <application> entry.
My page was redirecting to "localhost:57018/login.html/" like it was a directory.
Removing the second entry fixed the problem with the configuration file duplicates, however I continued to have a problem where Internet Explorer seemed to think that /login.html/ was a directory (Internet Explorer 11). To diagnose the problem, I checked Chrome and Chrome worked fine.
I went into Internet Explorer, went to Tools > Internet Options > General Tab. Then under "Browsing History" section, I deleted History, Cookies and Website Data, & Temp. Internet Files.
I tried all of the above methods and nothing worked for me. I was keep on getting the error something like
Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'QueryStringModule'
At last I changed my server from
IIS Express to Local IIS in the project property build as given below.
and it worked for me.
I had the same problem, here's what I did:
I changed my Server settings from Local IIS to IIS Express:
If it still doesn't work, I changed the port number to different port
number then click the Create Virtual Directory button. Clean the
solution then Rebuild.
Just Change the port number which is not yet used by another application and it works
I'm trying to set up the Chainsaw viewer. I'm not really getting how it's supposed to work.
This is my XML file in the java project to be logged(i.e the one I want to watch in Chainsaw v2):
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE log4j:configuration >
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="true">
<plugin name="XMLSocketReceiver" class="org.apache.log4j.net.XMLSocketReceiver">
<param name="decoder" value="org.apache.log4j.xml.UtilLoggingXMLDecoder"/>
<param name="Port" value="4000"/>
<param name="threshold" value="ALL"/>
</plugin>
<root>
<priority value="debug"/>
</root>
</log4j:configuration>
Here's a screenshot of the Chainsaw option menu:
A couple of things:
The latest developer snapshot of Chainsaw has a lot of new features, including a reworked configuration UI that should make it simpler (File, Load Chainsaw configuration menu option). You can get it here: http://people.apache.org/~sdeboy
The log4j.xml file used by the application generating the logging needs to have an 'appender' entry, not a 'receiver' entry. The Chainsaw configuration will contain a 'receiver' entry once you have it set up, which again, I would suggest doing via the configuration UI (it 'receives' events generated by an 'appender'). Just choose the option to save the config file from the configuration screen, and check the box that says 'always start Chainsaw with this configuration'
You can use a SocketAppender/SocketHubAppender on the application logging side, or a FileAppender of some kind. If you choose to use a FileAppender, Chainsaw's configuration screen can read in your application-side log4j.xml and generate the correct configuration for you.
If you have additional questions, feel free to send them here or to the log4j users mailing list, available here: http://logging.apache.org/log4j/1.2/mail-lists.html
Windows vista 32 bit - C# - .NET 4 - sqlite - IIS 7
I'm building a small project that contains is a custom HTTP handler where an user can request a XML file and the project will generate the file and send it to the user. It should be flexible enough to send something else too like e.g. json.
Everything was going well until I had to deploy the handler. I've created a library (dll) file which contains the logic for serving of the requested information. I've open IIS manager and I've created a virtual directory to the debug bin file (later on i made it an application. it did not make a difference).
I've followed countless examples and tutorials like these ones:
I started with this one: http://support.microsoft.com/kb/308001
http://msdn.microsoft.com/en-us/library/bb515343.aspx
msdn.microsoft.com/en-us/library/46c5ddfy.aspx
But with no luck. As you could have read I'm not using any asp.net website even though I do have a web.config that I've added to the bin folder and it looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true" />
<directoryBrowse enabled="false" />
<handlers accessPolicy="Read, Script, Execute">
<add name="LigoManagedHandler" path="*" verb="*" type="Ligo.Service, Ligo" resourceType="Unspecified" preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
When I try to run handler in the browser get the following error:
Could not load file or assembly 'Ligo' or one of its dependencies. The system cannot find the file specified.
Exception Details: System.IO.FileNotFoundException: Could not load file or assembly 'Ligo' or one of its dependencies. The system cannot find the file specified.
I have tried so many possible combination in IIS manager to get it working ('httphandlers', 'classic mode' and so on ...) but i'm truly stuck. The information I've found on the internet is not helping much.
What am I doing wrong or missing to make it work?
Something in this rant triggered an idea, an I stumbled on the answer.
The line in all those tutorials that say put type="ClassName, AssemblyName" into the Handlers section in Web.Config are plain WRONG.
All I did was change this to type="AssemblyName.ClassName" and everything started working, in both a Web Site Project and a Web Application Project that I had created.
I'm running IIS 7.5 in integrated mode so YMMV.
Craig
I figure it out. I had to make a asp.net website project and add my dll as reference to this project.
I read this thread that provided this information which is not clear on the internet.
http://forums.asp.net/t/1088861.aspx/1?What+causes+the+quot+Could+not+load+type+quot+problem+
It should state that it is not possible to make the httphandler without a aspnet website project. or am i mistaken? the example on the internet are incorrect! or provide too little information.
I know, this is an old thread. However, I've been looking for an answer for a few days without finding a clear one. So, in case anyone comes across similar scenario.
You can create custom Http Handler as a stand-alone Class Library project and use it in IIS.
On IIS Add new Application with ASP4 Integrated mode. Place your compiled DLL into bin folder (this is what i was missing all along). Seems obvious that it should be there; took some time to figure this out. :)
web.config:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<handlers>
<add verb="*" path="*.ogg" name="test" type="Namespace.Classname"/>
</handlers>
</system.webServer>
</configuration>
Hope this helps.
Cheers.