π₯ Dash Shield
Dash Shield is a comprehensive Flutter plugin built to enhance app security and streamline
development processes. It offers essential tools for protecting sensitive data, including screenshot
and screen recording prevention, SSL pinning for secure network connections, and flexible app
integrity checks. Additionally, Dash Shield provides utilities for managing print
statements in
code, allowing you to quickly remove or wrap debug logs within kDebugMode
. With Dash Shield,
safeguarding your app and optimizing your development workflow is simple and effective.
π Requirements
To use this plugin, make sure your project meets the following minimum SDK requirements:
SDK | Version |
---|---|
Dart | >=2.18.0 <4.0.0 |
Flutter | >=3.3.0 |
π Platform Support
- This Flutter package supports the following platforms:
Platform | Support Status | Notes |
---|---|---|
Android | β Supported | Requires Android Sdk 23 or Newer |
iOS | β Supported | Requires iOS 12.0 or Newer |
Web | β³ Soon | Will be supported soon. |
π Features
-
Prevent Screenshots and Screen Recording
- Block screenshots and screen recording on specific screens or globally across the app.
- Ensures sensitive information is kept secure, even in visual form.
-
SSL Pinning
- Enforce SSL pinning with custom certificates to prevent man-in-the-middle (MITM) attacks.
- Compatible with
Dio
client for secure network communication.
-
Application Integrity Checks
- Perform real-time checks to detect app integrity issues, such as debugging, device binding, unauthorized hooks, and more.
- Configurable actions for each integrity check for granular control over responses.
-
Print Removal and Debug Management
- Provides tools to remove all
print
statements or wrap them withkDebugMode
for better debug log control. - Helps streamline production code by eliminating or isolating debugging logs in a simple, automated way.
- Provides tools to remove all
π Installation
Add dash_shield
to your pubspec.yaml
:
dependencies:
dash_shield: ^0.0.1+3
Then, run:
flutter pub get
π Getting Started
1. Prevent Screenshots and Recording
You can prevent screenshots and screen recording in two ways:
a) Globally for the Entire App
To prevent screenshots and recording across the entire app, use the following:
import 'package:dash_shield/dash_shield.dart';
await DashShield.preventScreenshotsGlobally();
This will apply a global security setting, ensuring no screen in the app can be captured or recorded, and for re-allowing this programmatically use the following :
import 'package:dash_shield/dash_shield.dart';
await DashShield.allowScreenshotsGlobally();
Note: The previous 2 Methods works well with Android and IOS.
b) For Specific Screens
If you need to prevent screenshots and recording only on certain screens, Dash Shield provides a targeted approach to apply security only where itβs needed. This is useful for protecting sensitive screens while leaving others unaffected, and re-allowing it when leaving this screen.
class Step2 extends StatefulWidget {
const Step2({super.key});
@override
State<Step2> createState() => _Step2State();
}
class _Step2State extends State<Step2> {
@override
void initState() {
super.initState();
/// Prevent Screenshot for this screen.
DashShield.preventScreenshotsAndRecordingForThisScreen();
}
@override
void dispose() {
/// Allow screenshots when leaving this screen
DashShield.allowScreenshotsAndRecordingForThisScreen();
super.dispose();
}
@override
void deactivate() {
/// Allow screenshots when leaving this screen
DashShield.allowScreenshotsAndRecordingForThisScreen();
super.deactivate();
}
@override
Widget build(BuildContext context) {
return Scaffold(
appBar: AppBar(
title: Text('Sensitive Screen'),
),
body: Center(
child: Text(
'Content on this screen is secure from screenshots and recording.')),
);
}
}
In this example, calling DashShield.preventScreenshotsAndRecordingForThisScreen() inside the build method of a specific screen (if Stateless) and inside initState() method (if Stateful), this will restrict screenshots and recordings only for that screen. This targeted restriction allows you to control the security of individual screens without affecting the rest of the app. and don't forget to call DashShield.allowScreenshotsAndRecordingForThisScreen(); when leaving the screen to allow Screenshots in other screens.
Tip: Place the
preventScreenshotsAndRecordingForThisScreen()
call at the top of thebuild
(if Stateless) and insideinitState()
method (if Stateful) for clarity, ensuring it activates as soon as the screen is rendered.
Note: The previous 2 Methods works well with Android Only.
2. Apply SSL Pinning
Dash Shield allows you to secure network connections by enforcing SSL pinning with custom
certificates, preventing man-in-the-middle (MITM) attacks. This functionality is compatible with
the Dio
client for now, other clients will be supported soon.
To apply SSL pinning:
import 'package:dash_shield/dash_shield.dart';
List<String> certificatePaths = [
'assets/certificates/my_cert.pem',
'assets/certificates/my_cert_2.crt'
];
await DashShield.applySSLPinning(certificatePaths, dioClient);
- certificatePaths: A list of paths to
.pem
or.crt
certificate files located in your assets. - client: The HTTP client (such as
Dio
) used for network requests.
Tip: Make sure to include your certificate files in the projectβs assets and reference them in
pubspec.yaml
to ensure they load correctly.
3. App Integrity Checks
Dash Shield offers configurable app integrity checks to detect security vulnerabilities such as debugging, developer mode, emulation, and more. You can tailor these checks to suit your appβs security needs.
a) Define a Security Configuration
To set up integrity checks, create a SecurityConfig
instance with the necessary parameters:
import 'package:dash_shield/dash_shield.dart';
final securityConfig = SecurityConfig(
androidSigningSHA256Hashes: ['sha256hash1', 'sha256hash2'],
androidPackageName: 'com.example.app',
iosBundleIds: ['com.example.app.ios'],
iosTeamId: 'TEAMID',
watcherEmail: 'security@example.com',
enableOnAndroid: true,
enableOniOS: true,
);
- androidSigningSHA256Hashes: List of SHA256 hashes for Android app signing.
- androidPackageName: Package name for the Android app.
- iosBundleIds: List of iOS bundle IDs.
- iosTeamId: Team ID for iOS app signing.
- watcherEmail: Email for receiving alerts when integrity issues are detected.
- enableOnAndroid and enableOniOS: Toggles to enable or disable checks for each platform.
b) Initialize Security Checks
After configuring, initialize the security checks with the following:
await DashShield.initSecurity(config:securityConfig);
This will activate the specified integrity checks to safeguard your app.
Custom Actions for Integrity Checks
You can define custom actions to respond to specific integrity issues:
final securityConfig = SecurityConfig(
...
checksToEnable: [SecOnControlsToApply.appIntegrity, SecOnControlsToApply.debug],
generalAction: (issue) => print('General Action Triggered: $issue'),
specificActions: {
SecOnControlsToApply.appIntegrity: (issue) => print('App integrity check failed: $issue'),
},
);
- checksToEnable: List of specific checks to enable.
- generalAction: Function to execute for any detected integrity issue if no specific action is set.
- specificActions: Map of individual actions for each check, allowing for tailored responses to different security concerns.
Tip: Setting custom actions allows you to implement different responses, like logging or alerting, based on the type of integrity check that fails.
4. Print Removal and Replacing
Dash Shield includes a print management tool to help you clean up or control debugging logs in your
project. This feature allows you to remove all print
statements from your code or wrap them
with kDebugMode
, making it easy to manage debug output in production builds.
To access the print management tool, run the following command:
dart run dash_shield:main
Youβll see a command-line menu with the following options:
-
Remove All Prints: Select this option to search through your Dart files and automatically remove all
print
statements. This ensures that no debug logs are left in your code, streamlining production builds and reducing unnecessary log output. -
Wrap All Prints with kDebugMode: Choose this option to wrap each
print
statement withkDebugMode
, making them visible only in debug mode. This is a quick way to retain useful debug information without exposing it in production.
Note: Using these options helps ensure that sensitive or unnecessary logs are managed efficiently in production-ready code.
5. DashShieldOverlay
The DashShieldOverlay
widget is designed to enhance the security of Flutter applications by covering the screen with a customizable overlay when the app goes into the background. This helps prevent sensitive information from being visible when switching between apps or viewing recent apps.
All you need to do, is to put it in the builder method in MaterialApp Widget, or Wrap any screen you want to implement this feature on it with this widget.
import 'package:dash_shield/dash_shield.dart';
return MaterialApp(
...
builder: (context, child) {
return DashShieldOverlay(
overlayWidget: Container(
color: Colors.teal,
child: const Center(
child: Text("Dash Shield"),
),
),
child: child!);
},
home: const MyHomePage(title: 'Dash Shield Demo'),
);
π API Reference
Methods
preventScreenshotsGlobally()
Prevents screenshots and screen recordings globally across the app. (Working in Android and IOS)
allowScreenshotsGlobally()
Allow screenshots and screen recordings globally across the app. (Working in Android and IOS)
preventScreenshotsAndRecordingForThisScreen()
Prevents screenshots and screen recordings for specific screens. (Working in Android Only for now)
allowScreenshotsAndRecordingForThisScreen()
Allow screenshots and screen recordings for specific screens. (Working in Android Only for now)
applySSLPinning(List<String> certificatePaths, dynamic client)
Attaches SSL certificates for secure network communication with the Dio client.
initSecurity({required SecurityConfig config})
Starts app integrity checks with specified configurations for a secure app environment.
SecurityConfig
The SecurityConfig
class allows you to configure parameters for different integrity checks, SSL
certificates, and app security options.
- Properties:
Datatype | Parameter | Required On Android | Required On IOS | Default Value | Description |
---|---|---|---|---|---|
List< String> |
androidSigningSHA256Hashes | β | β | -- | List of SHA256 hashes for Android app signing. |
String | androidPackageName | β | β | -- | Package name for the Android app. |
List< String> |
iosBundleIds | β | β | -- | List of iOS bundle IDs. |
String | iosTeamId | β | β | -- | Team ID for iOS app signing. |
String | watcherEmail | β | β | -- | Email for receiving alerts when integrity issues are detected. |
bool | enableOnAndroid | β | β | -- | Indicates if security checks should be enabled on Android. |
bool | enableOniOS | β | β | -- | Indicates if security checks should be enabled on IOS. |
List< String> |
supportedStores | Optional | Optional | -- | Supported app stores. |
bool | isProduction | Optional | Optional | true | Indicates if the app is in production mode. |
List< SecOnControlsToApply> |
checksToEnable | Optional | Optional | -- | List of security checks to enable . If null , all security checks will be enabled by default. |
π Troubleshooting
If you encounter any issues, please ensure:
- The
Dio
client is correctly configured for SSL pinning. - Your certificate files are included in the projectβs asset bundle and referenced correctly
in
pubspec.yaml
.
βΉοΈ Dependencies
This plugin relies on several other plugins to provide robust security features:
- freeRASP: Used for runtime application self-protection (RASP) and integrity checks.
- screen_protector: Used for screen prevention in IOS.
- fluttertoast: Used for showing Toasts without context.
- dio: Used for Handling SSL Pinning for it's client.
- dio_http_formatter: Used for beautifying Dio responses.
- interact: Used for interacting with user in terminal.
These dependencies are necessary to ensure the plugin provides optimal security functionality.
β οΈ Important Note on Log Warnings
You may encounter certain warnings in the logs when using this plugin, especially those related to the underlying dependencies. These warnings are not errors and do not impact the functionality or security of your application. We are actively working on minimizing these messages, and future updates to the plugin will aim to address them.
π Contributing
Contributions are welcome! If you have suggestions, feel free to open an issue or submit a pull request. This is the first version of Dash Shield, and enhancements, as well as new security features, will be added soon to improve its functionality.
Special thanks to the current contributors:
Habeba Yasser π |
Ahmed Desoky π |
π§ License
Dash Shield is released under the MIT License.