flutter_app_security 1.0.0

A comprehensive Flutter security module providing multiple layers of protection against common mobile app attacks including root/jailbreak detection, emulator detection, tampering detection, SSL pinni [...]

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

1.0.0 - 2024-12-25

Added

• Initial release with multi-platform support

Platform Support

• Android - Full security feature support
• iOS - Full security feature support
• macOS - Screen protection, code signature verification
• Windows - Screen protection via SetWindowDisplayAffinity
• Web - Limited checks (secure context, DevTools detection)
• Linux - Compiles but no native features yet

Core Features

• Root Detection - Detect rooted Android devices
  • Check for common root binaries (su, magisk)
  • Check for root management apps
  • Check build tags for test-keys
• Jailbreak Detection - Detect jailbroken iOS devices
  • Check for Cydia, Sileo, and other jailbreak apps
  • Check for jailbreak files and directories
  • Check for symbolic link modifications
  • Check Cydia URL scheme
• Emulator Detection - Detect emulators and simulators
  • Android: Check device properties, QEMU files, build fingerprint
  • iOS: Check isPhysicalDevice flag and environment variables
• Debug Mode Detection - Detect debugging
  • Check Flutter's kDebugMode and kReleaseMode
  • Check for attached debuggers (TracerPid on Android)
  • Check for Xcode environment on iOS
  • Works on all platforms via kDebugMode
• App Tampering Detection - Detect modified apps
  • Verify app signature against allowed signatures
  • Detect debug certificates
  • Check installer source (Play Store, sideloaded)
  • Verify iOS code signature
  • macOS: codesign verification
• Hooking Framework Detection - Detect runtime manipulation
  • Frida detection (port scanning, memory maps)
  • Xposed Framework detection
  • LSPosed/EdXposed detection
  • Cydia Substrate detection (iOS)
• SSL Pinning - Prevent MITM attacks
  • SHA-256 certificate pin validation
  • Certificate pin generator utilities
  • Secure HttpClient configuration
  • Available on mobile and desktop (not web)
• Screen Security - Prevent screen capture
  • Android: FLAG_SECURE implementation
  • iOS: Secure text field overlay technique
  • macOS: window.sharingType = .none
  • Windows: SetWindowDisplayAffinity API
  • Screen recording detection (iOS/macOS)

Configuration System

• Development config (all checks disabled)
• Production config (all checks enabled)
• Custom configuration support
• Platform-aware defaults

Widgets

• SecureApp wrapper widget
• SecurityBlockedScreen for threat display
• SecureContent for protected content areas
• RecordingDetectedWidget for screen recording warnings

Native Plugins

• Android Kotlin plugin with full feature support
• iOS Swift plugin with full feature support
• macOS Swift plugin with screen protection and code signing
• Windows C++ plugin with screen capture prevention
• Web Dart plugin with limited security utilities

Cross-Platform Architecture

• Conditional imports for platform-specific code
• PlatformHelper for platform detection without dart:io
• Stub implementations for web platform
• Graceful degradation on unsupported platforms

Technical

• Uses package:web instead of deprecated dart:html
• Conditional imports: import 'x.dart' if (dart.library.html) 'y.dart'
• All platform-specific I/O isolated in separate files
• Full test coverage for configuration and result classes

Security

• All security checks are performed locally
• No data is sent to external servers
• Secure storage for security event logging