Merge pull request #13 from talsec/add_obfuscationIssues_check

Add obfuscation issues check

CHANGELOG.md

@@ -1,8 +1,17 @@
+# freeRASP 5.0.0
+
+### Android
+
+-   ❗ BREAKING CHANGE: Raised minimum supported Android version to 6.0 (API level 23)
+-   ✔️ Removed deprecated BouncyCastle dependency that could cause errors in the build phase
+-   ✔️ Fixed issue that could cause NullPointerException
+-   🆕 Added new `obfuscationIssues` check, which is triggered when freeRASP doesn't detect any obfuscation of the source code
+
 # freeRASP 4.0.1
 
 ### iOS
 
-- ✔️ Fixed issue with metadata in iOS framework
+-   ✔️ Fixed issue with metadata in iOS framework
 
 # freeRASP 4.0.0
 

README.md

@@ -80,12 +80,13 @@ Add platforms to your Cordova project:
 
 ### Android
 
-Talsec Cordova plugin uses Kotlin, add following lines into the `config.xml` file in your project root directory.
+freeRASP for Android requires a **minimum SDK** level of **23** and a **target SDK** level of **31**. Cordova projects, by default, support even lower levels of minimum and target SDKs. This creates an inconsistency we must solve by updating the SDK levels of the application. Additionally, the freeRASP Cordova plugin uses Kotlin; add the following lines into the `config.xml` file in your project root directory to enable Kotlin and set the required SDK versions.
 
 ```xml
 <preference name="GradlePluginKotlinEnabled" value="true" />
 <preference name="GradlePluginKotlinCodeStyle" value="official" />
 <preference name="GradlePluginKotlinVersion" value="1.7.10" />
+<preference name="android-minSdkVersion" value="23" />
 <preference name="android-targetSdkVersion" value="31" />
 ```
 
@@ -195,6 +196,9 @@ var threatListener = function (threatType) {
         case 'deviceID': // iOS only
             // TODO place your reaction here
             break;
+        case 'obfuscationIssues': // Android only
+            // TODO place your reaction here
+            break;
         default:
             console.log('Unknown threat type detected: ' + threatType);
     }
@@ -222,31 +226,40 @@ talsec
 
 ## Step 6: Additional note about obfuscation
 
-The freeRASP contains public API, so the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to use publicly available information to interrupt freeRASP operations or modify your custom reaction implementation in threat callbacks. In order for freeRASP to be as effective as possible, it is highly recommended to apply obfuscation to the final package/application, making the public API more difficult to find and also partially randomized for each application so it cannot be automatically abused by generic hooking scripts.
-
-### Android
+The freeRASP contains public API, so the integration process is as simple as possible. Unfortunately, this public API also creates opportunities for the attacker to use publicly available information to interrupt freeRASP operations or modify your custom reaction implementation in threat callbacks. In order to provide as much protection as possible, freeRASP obfuscates its source code. However, if all other code is not obfuscated, one can easily deduct that the obfuscated code belongs to a security library. We, therefore, encourage you to apply code obfuscation to your app, making the public API more difficult to find and also partially randomized for each application so it cannot be automatically abused by generic hooking scripts.
 
-The majority of Android projects support code shrinking and obfuscation without any additional need for setup. The owner of the project can define the set of rules that are usually automatically used when the application is built in the release mode. For more information, please visit the official documentation
-
--   https://developer.android.com/studio/build/shrink-code
--   https://www.guardsquare.com/manual/configuration/usage
+Probably the easiest way to obfuscate your app is via code minification, a technique that reduces the size of the compiled code by removing unnecessary characters, whitespace, and renaming variables and functions to shorter names. It can be configured for Android devices in **android/app/build.gradle** like so:
 
-You can make sure, that the obfuscation is enabled by checking the value of **minifyEnabled** property in your **module's build.gradle** file.
-
-```gradle
+```groovy
 android {
-    ...
-
     buildTypes {
         release {
+            ...
             minifyEnabled true
             shrinkResources true
-            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
+            proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro"
         }
     }
 }
 ```
 
+Additionally, create or extend `proguard-rules.pro` in **android/app** folder and exclude Cordova’s specific classes that rely on package names from being obfuscated:
+
+```groovy
+-keep class org.apache.cordova.** {*;}
+-keep public class * extends org.apache.cordova.CordovaPlugin
+-flattenpackagehierarchy
+```
+
+Please note that some other modules in your app may rely on reflection, therefore it may be necessary to add corresponding keep rules into `proguard-rules.pro` file.
+
+If there is a problem with the obfuscation, freeRASP will notify you about it via **obfuscationIssues** callback.
+
+You can read more about Android obfuscation in the official documentation:
+
+-   https://developer.android.com/studio/build/shrink-code
+-   https://www.guardsquare.com/manual/configuration/usage
+
 ## Step 7: User Data Policies
 
 See the generic info about freeRASP data collection [here](https://github.com/talsec/Free-RASP-Community/tree/master#data-collection-processing-and-gdpr-compliance).
@@ -310,16 +323,16 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
             <td colspan=5><strong>Runtime App Self Protection (RASP, app shielding)</strong></td>
         </tr>
         <tr>
-            <td>Advanced root/jailbreak protections</td>
+            <td>Advanced root/jailbreak protections (including Magisk)</td>
             <td>basic</td>
             <td>advanced</td>
         </tr>
         <tr>
             <td>Runtime reverse engineering controls 
                 <ul>
-                    <li>Debug</li>
-                    <li>Emulator</li>
-                    <li>Hooking protections (e.g. Frida)</li>
+                    <li>Debugger</li>
+                    <li>Emulator / Simulator</li>
+                    <li>Hooking and reversing frameworks (e.g. Frida, Magisk, XPosed, Cydia Substrate and more)</li>
                 </ul>
             </td>
             <td>basic</td>
@@ -328,7 +341,7 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
         <tr>
             <td>Runtime integrity controls 
                 <ul>
-                    <li>Tamper protection</li>
+                    <li>Tampering protection</li>
                     <li>Repackaging / Cloning protection</li>
                     <li>Device binding protection</li>
                     <li>Unofficial store detection</li>
@@ -342,6 +355,8 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
                 <ul>
                     <li>HW security module control</li>
                     <li>Screen lock control</li>
+                    <li>Google Play Services enabled/disabled</li>
+                    <li>Last security patch update</li>
                 </ul>
             </td>
             <td>yes</td>
@@ -351,7 +366,7 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
             <td>UI protection 
                 <ul>
                     <li>Overlay protection</li>
-                    <li>Accessibility services protection</li>
+                    <li>Accessibility services misuse protection</li>
                 </ul>
             </td>
             <td>no</td>
@@ -362,11 +377,10 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
         </tr>
         <tr>
             <td>Security hardening suite 
-                <ul>
-                    <li>Customer Data Encryption (local storage)</li>
+                <ul>                
                     <li>End-to-end encryption</li>
                     <li>Strings protection (e.g. API keys)</li>
-                    <li>Dynamic certificate pinning</li>
+                    <li>Dynamic TLS certificate pinning</li>
                 </ul>
             </td>
             <td>no</td>
@@ -381,33 +395,41 @@ freeRASP is freemium software i.e. there is a Fair Usage Policy (FUP) that impos
             <td>yes</td>
         </tr>
         <tr>
-            <td colspan=5><strong>Monitoring</strong></td>
+            <td colspan=5><strong>Security events data collection, Auditing and Monitoring tools</strong></td>
         </tr>
         <tr>
-            <td>AppSec regular email reporting</td>
+            <td>Threat events data collection from SDK</td>
+            <td>yes</td>
+            <td>configurable</td>
+        </tr>
+        <tr>
+            <td>AppSec regular email reporting service</td>
             <td>yes (up to 100k devices)</td>
             <td>yes</td>
         </tr>
         <tr>
-            <td>Data insights and auditing portal</td>
+            <td>UI portal for Logging, Data analytics and auditing</td>
             <td>no</td>
             <td>yes</td>
         </tr>
+        <tr>     
+          <td colspan=5><strong>Support and Maintenance</strong></td>
+        </tr>
         <tr>
-            <td>Embed code to integrate with portal</td>
-            <td>no</td>
+            <td>SLA</td>
+            <td>Not committed</td>
             <td>yes</td>
         </tr>
         <tr>
-            <td>API data access</td>
-            <td>no</td>
+            <td>Maintenance updates</td>
+            <td>Not committed</td>
             <td>yes</td>
         </tr>
         <tr>
             <td colspan=5><strong>Fair usage policy</strong></td>
         </tr>
         <tr>
-            <td>Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section of the Talsec web or in the social media).</td>
+            <td>Mentioning of the App name and logo in the marketing communications of Talsec (e.g. "Trusted by" section on the web).</td>
             <td>over 100k downloads</td>
             <td>no</td>
         </tr>

hello/config.xml

@@ -11,5 +11,6 @@
     <preference name="GradlePluginKotlinEnabled" value="true" />
     <preference name="GradlePluginKotlinCodeStyle" value="official" />
     <preference name="GradlePluginKotlinVersion" value="1.7.10" />
+    <preference name="android-minSdkVersion" value="23" />
     <preference name="android-targetSdkVersion" value="31" />
 </widget>

hello/www/js/index.js

@@ -41,6 +41,8 @@ function onDeviceReady () {
 
     if (cordova.platformId === 'ios') {
         checks.deviceID = 'Device ID';
+    } else {
+        checks.obfuscationIssues = 'Obfuscation Issues';
     }
 
     Object.entries(checks).forEach(([check, msg]) => {
@@ -108,6 +110,10 @@ function onDeviceReady () {
             console.log('deviceID');
             changeThreatStyle('deviceID');
             break;
+        case 'obfuscationIssues': // Android only
+            console.log('obfuscationIssues');
+            changeThreatStyle('obfuscationIssues');
+            break;
         default:
             console.log(`Unknown threat type detected: ${threatType}`);
         }

package.json

@@ -1,6 +1,6 @@
 {
     "name": "cordova-talsec-plugin-freerasp",
-    "version": "4.0.1",
+    "version": "5.0.0",
     "description": "Cordova plugin for improving app security and threat monitoring on Android and iOS mobile devices.",
     "cordova": {
         "id": "cordova-talsec-plugin-freerasp",

src/android/TalsecPlugin.kt

@@ -94,6 +94,10 @@ class TalsecPlugin : CordovaPlugin(), ThreatListener.ThreatDetected, ThreatListe
         sendOngoingPluginResult("secureHardwareNotAvailable")
     }
 
+    override fun onObfuscationIssuesDetected() {
+        sendOngoingPluginResult("obfuscationIssues")
+    }
+
     private fun sendOngoingPluginResult(msg: String) {
         val result = PluginResult(PluginResult.Status.OK, msg)
         result.keepCallback = true

src/android/talsec.gradle

@@ -4,7 +4,7 @@ repositories {
 }
 
 dependencies {
-    implementation "com.aheaditec.talsec.security:TalsecSecurity-Community-Cordova:7.0.0"
+    implementation "com.aheaditec.talsec.security:TalsecSecurity-Community-Cordova:8.0.1"
 }
 
 android {