Flutter Secure App

A comprehensive RASP (Runtime Application Self-Protection) and Anti-Tampering Flutter plugin natively bridging security rules for Android & iOS to the Dart layer. Ensure reverse-engineers, malware, and interceptors have a difficult time compromising your app's environment.

Features

Jailbreak / Root Detection: Detects compromised devices iOS Jailbreak and Android Rooting.
Simulator / Emulator Detection: Prevents your app from running on fraudulent emulator environments.
Debugger Access Detection: Halts app execution if a debugger is attached.
App Signature Checks & Signature Validations: Validates Android Signatures and iOS Apple Team IDs to prevent app repackaging and tampering.
Store Verification (Vending): Checks if the app was downloaded from official stores (App Store / Google Play).
Device Binding & ID Spoofing Protections: Prevents device identifiers from being spoofed.
SSL Pinning Interceptor: Validates server certificates via SHA-256 fingerprints to defend against Man-in-the-Middle (MITM) attacks.
SSL SPKI Pinning Interceptor: Optionally validates the server certificate's SubjectPublicKeyInfo (SPKI) SHA-256 hash for an extra layer of public key pinning.
Secure HTTP Client (Anti-Proxy): Bypasses system proxies natively to prevent network traffic sniffers and interception tools.

Installation

Add this to your pubspec.yaml:

dependencies:
  flutter_secure_app: ^1.0.6

Getting Started & Usage

Just import and initialize the plugin at the root of your application (preferably before starting the app logic):

import 'package:flutter_secure_app/flutter_secure_app.dart';

void main() async {
  WidgetsFlutterBinding.ensureInitialized();
  
  await FlutterSecureApp().init(
    isEnabled: true,
    isProdEnv: true, // Toggles specific logic like Store Verification check

    // Granular Threat Toggles (Disable during development):
    checkJailbreakOrHooking: !kDebugMode,
    checkEmulator: !kDebugMode,
    checkDebugger: !kDebugMode,
    checkAppSignature: !kDebugMode,
    checkOfficialStore: !kDebugMode,
    checkDeviceBinding: !kDebugMode,
    checkDeviceIdSpoofing: !kDebugMode,

    // XOR Obfuscator (String Hiding) - Reverse Engineering Protection:
    // Pass your plain or decoded signatures arrays dynamically.
    validIosTeamIds: [
      // e.g., '1234567890' or dynamic decoded strings
      MyGlobalSecureConfig.appleTeamId,
    ],
    validAndroidSignatures: [
      // e.g., 'A1:B2:C3...'
      MyGlobalSecureConfig.androidSignature,
    ],
    onThreatDetected: (SecureAppThreatType threatType) {
      print('A security threat occurred: $threatType');
      // For example, terminate app gracefully or block login.
    },
    onException: (error, stackTrace) {
      print('Plugin internals threw an error: $error');
    }
  );

  runApp(MyApp());
}

Configuration Parameters

Parameter	Type	Default	Description
`isEnabled`	`bool`	`true`	Completely enables or disables the plugin engine.
`isProdEnv`	`bool`	`true`	Used to enforce production-only checks such as Official Store vending checks.
`checkJailbreakOrHooking`	`bool`	`true`	Validates if device is rooted/jailbroken or has hooking frameworks.
`checkEmulator`	`bool`	`true`	Validates if device is an emulator.
`checkDebugger`	`bool`	`true`	Validates if a debugger is attached.
`checkAppSignature`	`bool`	`true`	Checks if the app is repackaged or signed by unauthorized certificates.
`checkOfficialStore`	`bool`	`true`	Verifies installation source is App Store/Google Play (Ignored if `isProdEnv` is `false`).
`validIosTeamIds`	`List<String>`	`[]`	List of approved Apple Team IDs.
`validAndroidSignatures`	`List<String>`	`[]`	List of approved Android App Signatures.
`onThreatDetected`	`Function`	`null`	Callback triggered when a threat is identified.
`onException`	`Function`	`null`	Callback for internal plugin exceptions/errors.

Network Security (Dio Integration)

The plugin provides ready-to-use tools for the popular dio package to secure your network layer against Man-in-the-Middle (MITM) attacks and malicious proxy sniffing.

1. SSL Pinning Interceptor
Validates the server certificate SHA-256 fingerprints. If the hash doesn't match, the request is rejected and SecureAppThreatType.sslPinningError is triggered.

1.a. SPKI Pinning in Secure HTTP Client Adapter
SSL SPKI Pinning Control (SSL Subject Public Key Info Control) Optionally validates the server certificate's SubjectPublicKeyInfo (SPKI) SHA-256 hash as an additional pinning layer.

2. Secure HTTP Client Adapter (Anti-Proxy)
Forces the HTTP client to bypass system proxy configurations, making it extremely difficult to intercept traffic using tools like Charles Proxy or Burp Suite.

import 'package:dio/dio.dart';
import 'package:flutter/foundation.dart';
import 'package:flutter_secure_app/flutter_secure_app.dart';

final dio = Dio();

// 1. Add SSL Pinning Interceptor
dio.interceptors.add(SslPinningInterceptor(
  allowedFingerprints: [
    'YOUR_SERVER_SHA256_FINGERPRINT_1',
    'YOUR_SERVER_SHA256_FINGERPRINT_2',
  ],
  bypassForLocalhost: kDebugMode, // Bypass pinning for local API testing
));

// 2. Set Secure HTTP Adapter (Anti-Proxy) with optional SPKI pinning
dio.httpClientAdapter = SecureHttpClientAdapter.getAdapter(
  allowedSpkiHashes: [
    'YOUR_SERVER_SPKI_SHA256_HASH',
  ],
  bypassSpkiForLocalhost: kDebugMode,
);