Where can I get Flutter App security documentation or best practice? I am nearly ready to publish my app.
I use online (free version) https://www.ostorlab.co/report/ and check the security of my app.
I have a main question above and some more question in below.
How to disable debug mode?
How to disable backup mode?
How to prevent my google map api key in AndroidManifest or similar?
These are the security issue that I am facing.
—————————————————————————————————
High Debug mode enabled
Description
The application is compiled with debug mode allowing attackers to attach a debugger to access sensitive data or perform malicious actions.Attacker can debug the application without access to source code and leverage it to perform malicious actions on behalf ot the user, modify the application behavior or access sensitive data like credentials and session cookies.
Recommendation
Disable debug mode by setting the attribute android:debuggeable to false in the application tag.
References
• DRD10-J Do not relase apps that are debuggable (CERT Secure Coding)
Ex: AndroidManifest:
<activity android:name="com.apptreesoftware.mapview.MapActivity" android:theme="#7F0C0102"> </activity>
<meta-data android:name="com.google.android.maps.v2.API_KEY" android:value=“****************************”></meta-data>
<meta-data android:name="com.google.android.gms.version" android:value="#7F080004"></meta-data>
————————————————————————————
Potentially Backup mode enabled
Description
Android performs by default a full backup of applications including the private files stored on /data partition. The Backup Manager service uploads those data to the user's Google Drive account.
Recommendation
if the application contains sensitive data that you don't want to be restored, you can disable backup mode by setting the attribute android:allowBackup to false in the application tag.
References
• Random Musings on the M Developer Preview: the Ugly (Part Two)
• DRD22. Do not cache sensitive information
————————————————————————————
Potentially Services declared without permissions
Description
service is an application component that can take care of actions to be done in the background, without user interaction. service can also be used to expose functionalities to other applications. This corresponds to calls to Context.bindService() to establish a connection to the service and interact with it.
Unprotected services can be invoked by other applications and potentially access sensitive information or perform privileged actions
Recommendation
service can expose several methods to external componenets. It is possible to define arbitrary permissions for each method using the method checkPermission.
It is also possible to seperate services and restrict access by enforcing permissions in the manifest's tag.
<permission android:name="co.ostorlab.custom_permission" android:label="custom_permission" android:protectionLevel="dangerous"></permission>
<service android:name="co.ostorlab.custom_service" android:permission="co.ostorlab.custom_permission">
<intent-filter>
<action android:name="co.ostorlab.ACTION" />
</intent-filter>
</service>
The service can enforce permissions on individual IPC calls by calling the method checkCallingPermissionbefore executing the implementation of that call.
References
• CWE-280: Improper Handling of Insufficient Permissions or Privileges
• Security Decisions Via Untrusted Inputs (OWASP Mobile Top 10)
• Service (Android Developper Documentation)
Technical details
False Positive
Services definition in AndroidManifest.xml:
<service android:name="com.mobile.niyazibank.MyFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:name="com.mobile.niyazibank.MyFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
<service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
<service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:exported="true" android:name="com.google.firebase.messaging.FirebaseMessagingService">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.MESSAGING_EVENT">
</action>
</intent-filter>
</service>
<service android:exported="true" android:name="com.google.firebase.iid.FirebaseInstanceIdService">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.INSTANCE_ID_EVENT">
</action>
</intent-filter>
</service>
————————————————————
Important Exported activites, services and broadcast receivers list
Description
List of all exported components in the application. Exported component are accessible to external applications and present an entry point to the application.
Recommendation
This entry is informative, no recommendations applicable.
References
• Content Provider (Android Developper Documentation)
• Activity (Android Developper Documentation)
• Broadcast Receiver (Android Developper Documentation)
• Service (Android Developper Documentation)
Did you upload the release version or the debug version of the apk to check for security?
flutter build --release will generate release version apk
Also, read more here: https://flutter.dev/docs/deployment/android
Ya sure flutter build --release command will make a release version for your app and if you only want to remove the debug banner from the app while testing then
On your MaterialApp set debugShowCheckedModeBanner to false.
MaterialApp(
debugShowCheckedModeBanner: false
)
The debug banner will also automatically be removed on release build.
Related
I have an SDK class built with a Read Thread. The MainActivity includes the SDK class. I need to pass read messages back from the Read Thread back to the MainActivity. I see similar questions asked but the answers appear to be from MainActivity back to a thread or service. The other question is what context do I use? Can both be the MainActivty context?
I had all the right code in my MainActivity and in my SDK but it needed one extra thing. All it took was to add the following to my AndroidManifest.xml file:
<application
<activity
<intent-filter>
<action android:name="company.com.sdk.MY_ACTION_NAME" />
</intent-filter>
</activity>
</application>
Our company is developing our new applications using Service Fabric.
A common problem we have, multiple developers use queues, databases, storages that are on remote servers, and each one has different configuration for this, all the settings are stored on ApplicationParameters file per environment, for Local development there is a single Local.5Node.xml. It is very common developers checkin their credentials and overwrite others when we get latest version of these files.
I'm trying to customize the ServiceFabric deployment script 'Deploy-FabricApplication.ps1' to use a custom PublishProfile depending on windows credentials of logged user. I can achieve that updating the deployment file, it works well when we deploy using the publish, but it seems that the default behavior of ServiceFabric when we hit F5(debug) is overwrite the parameters with a specific Local.5Node.xml application parameters.
I explored all service fabric .ps1 files and couldn't find where this is defined. I guess this is defined on .targets file, so I don't know how can I avoid this default behaviour.
Is there any other approach to use custom PublishProfiles on local development machines other than Local.5Node.xml?
I actually just ran into this with setting up some team specific environments. I borrowed information from the following sources:
Web Config Transformation
Replace String In File With MSBUILD
I added multiple parameters files based on what was needed for the different teams. Each one containing their specific resource settings.
I also added a Local.1Node.Template.xml and Local.5Node.Template.xml. I even removed the Local.1Node.xml and Local.5Node.xml from source control and set them up to be ignored while leaving them in the projects so that Visual Studio doesn't think they are truly missing. The contents of the 1Node (5Node is the same except for replacing 1Node with 5Node) are as follows:
<?xml version="1.0" encoding="utf-8"?>
<PublishProfile xmlns="http://schemas.microsoft.com/2015/05/fabrictools">
<ClusterConnectionParameters />
<ApplicationParameterFile Path="..\ApplicationParameters\Local.1Node.$(Configuration).xml" />
</PublishProfile>
I then edited the sfproj file for the Service Fabric project to contain the following MSBuild Task and Target:
<UsingTask TaskName="ReplaceFileText" TaskFactory="CodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.v4.0.dll">
<ParameterGroup>
<InputFilename ParameterType="System.String" Required="true" />
<OutputFilename ParameterType="System.String" Required="true" />
<MatchExpression ParameterType="System.String" Required="true" />
<ReplacementText ParameterType="System.String" Required="true" />
</ParameterGroup>
<Task>
<Reference Include="System.Core" />
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Using Namespace="System.Text.RegularExpressions" />
<Code Type="Fragment" Language="cs">
<![CDATA[
File.WriteAllText(
OutputFilename,
Regex.Replace(File.ReadAllText(InputFilename), MatchExpression, ReplacementText)
);
]]>
</Code>
</Task>
</UsingTask>
<Target Name="UpdateProfile" BeforeTargets="UpdateServiceFabricApplicationManifest">
<ReplaceFileText InputFilename="PublishProfiles\Local.1Node.Template.xml" OutputFilename="PublishProfiles\Local.1Node.xml" MatchExpression="\$\(Configuration\)" ReplacementText="$(Configuration)" />
<ReplaceFileText InputFilename="PublishProfiles\Local.5Node.Template.xml" OutputFilename="PublishProfiles\Local.5Node.xml" MatchExpression="\$\(Configuration\)" ReplacementText="$(Configuration)" />
</Target>
The final step was to setup the different Build Configurations for the teams. I created a FT1-Debug through FT6-Debug based on the Debug configuration in the Service Fabric Service project and the Service Fabric Host project. I left all of my other projects alone.
At this point everyone on the different teams can debug locally with the correct configuration for the cluster they are doing work in just by changing the Build Configuration and pressing F5 to debug.
The VS extension for Service Fabric define a hard coded publish profile when we debug the solution using Visual Studio, it check how many nodes my cluster has and create a link to Local.5Node.xml and Local.1Node.xml depending how many nodes my cluster have.
To accomplish the same results, we end up using custom Application Parameters per developer and each developer update the Publish Profile (Local.5node.xml) to point to their respective Application parameter files.
It is not automated as the required feature, but can solve the main problem.
It is possible in Azure Web App to override web.config AppSettings section easily. E.g. if I have the following web.config:
<appSettings>
<add key="AllowedCORSOrigin" value="http://localhost:26674"/>
</appSettings>
I can override it in the app settings UI in the portal like that:
I have also a custom section in the web.config:
<AdWordsApi>
<add key="OAuth2RefreshToken" value="TOKEN" />
</AdWordsApi>
Is it possible to override it somehow as well? I have tried AdWordsApi.OAuth2RefreshToken and AdWordsApi:OAuth2RefreshToken, but that does not work that easily.
P.S. It's interesting to know if it's possible with other custom sections like e.g if I want another authentication mode on the server.
<system.web>
<authentication mode="None" />
</system.web>
Short answer is that it is not possible.
The mechanism you describes only works with App Settings and Connection Strings. High level, the way it works is:
Your Azure App Settings become environment variables
At runtime, a special module sets those dynamically in the .NET config system. Note that the physical web.config is never modified.
But it would be hard to make such mechanism work on arbitrary config sections, as those could not be dynamically affected without modifying the physical file.
If you are using Visual Studio use web.config transformations to change configuration settings depending on whether you are running locally or deploying to Azure:
How to Transform Web.config
In simple terms you create one more more build configurations (typically Debug & Release). In your Visual Studio solution right-click on your existing web.config file and click "Add Config Transform", this will create a Web.Debug.Config and Web.Release.Config file which you can then customise with specific settings depending on the environment. Link this with your Azure build configuration and you can then have any combination of settings for local and remote deployment.
This is old but leaving this reference to how to use Azure Resource Manager to potentially solve this.
You can transform the values by the listed in VSTS by doing the following steps in App.Release.config:-
Add xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform" in configuration section
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
</configuration>
Add xdt:Transform="Replace" in custom section like below
<AdWordsApi xdt:Transform="Replace">
<add key="OAuth2RefreshToken" value="TOKEN" />
</AdWordsApi>
Create variable token in the release pipeline e.g OAuth2RefreshToken
Then in file config use it as following
<AdWordsApi xdt:Transform="Replace">
<add key="OAuth2RefreshToken" value="#{OAuth2RefreshToken}#" />
</AdWordsApi>
If you are adding any in web.config --> Appsetting, you can overirde it in Azure App Service using variable prefix
Key Name: APPSETTING_AllowedCORSOrigin
Value: http://localhost:26674
https://learn.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet#variable-prefixes
I have set up new relic in azure (Web Sites > My App > Configuration > Monitoring Tools > Custom) and I have also installed the NuGet package: NewRelic.Azure.Websites.
Then I changed my web config app settings to this:
<add key="NewRelic.AppName" value="My Website" />
and in the new relic config file, I changed this:
<application />
to this:
<application>
<name>My Website</name>
</application>
I have disabled Always On and still I do not get any data.
Does anyone know why?
Did you add the Application Settings according to the NewRelic documentation?
Remember that if you are using ASPNet 5 /Core 1.0, NewRelic is not yet supported.
It was due to installing the 32bit through NuGet instead of the 64bit
I am currently developing an ASP.NET MVC 4 app for the African market and was hoping to register a custom culture using the steps detailed in the following link http://msdn.microsoft.com/en-gb/library/system.globalization.cultureandregioninfobuilder.register(v=vs.110).aspx. Most of my target countries are not in the pre-installed cultures so it sounds like I need to register these cultures. Problem is, my console app for doing the registration will need admin previlidges to complete the culture registration. I am presuming windows azure does not allow developers admin control of the cloud service environment.
Question: What is the best way to register a custom culture in Windows Azure without admin previlidges. Apparently there's a way to do this on Framework 2.0 using the cultureandregioninfobuilder.compile method but this is not a supported method. Is there a better solution? Don't want to have to maintain different project solutions for each culture just so I can support different languages.
Thanks in advance.
You could create a startup task that runs with elevated priviledges, and also run your application on a limited context. Your service configuration file should look like this:
<ServiceDefinition name="MyCloudService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2012-10.1.8">
<WebRole name="MyWebRole" vmsize="Small">
<Runtime executionContext="limited">
</Runtime>
<Startup>
<Task executionContext="elevated" commandLine="scripts\SetupCulture.cmd" taskType="simple">
<Environment>
<Variable name="CULTURE">
<RoleInstanceValue xpath="/RoleEnvironment/CurrentInstance/ConfigurationSettings/ConfigurationSetting[#name='Culture']/#value" />
</Variable>
</Environment>
</Task>
</Startup>
...
</WebRole>
</ServiceDefinition>
Note with this you can specify the desired culture in the service configuration file. Finally you can use the environment variable "CULTURE" in your .cmd file to use it as parameter to a .NET executable doing the job.