freeRASP: 7.3.0 (#182)

* feat!: add new detection callbacks

* feat!: add new termination option

* chore: update tests

* chore: raise SDK version

* chore: raise version

* feat: add new kill option

* refactor(demo): fix `minSdkVersion`

* refactor(demo): add new checks and run check control

* chore: update iOS SDK

* refactor: add pigeon api

* refactor: implement new callback

* chore: add dependency

* chore: update demo app

* chore: update build script

* chore: update tests

* chore: update analysis_options

* chore: update docs

* style: formatting

* chore: update CHANGELOG

* ci: raise flutter sdk version

* fix: downgrade `very_good_analysis`

* fix: downgrade `pigeon`

* style: formatting

* style: formatting

* fix: raise minSdkVersion

* fix: argument handling

* fix: argument handling

* fix: remove unnecessary log

* fix: rename variable

* refactor: organise files

* refactor: update generation path

* refactor: update

* fix: add docs

* chore: update CHANGELOG

* fix: change default value of `killOnBypass`

* docs: update

* chore: fix versions

Author: yardexx

.github/workflows/flutter-ci.yml

@@ -17,7 +17,7 @@ on:
   workflow_dispatch:
 
 env:
-  FLUTTER_VERSION: 3.19.0
+  FLUTTER_VERSION: 3.24.0
   PANA_VERSION: 0.22.8
 
 jobs:

CHANGELOG.md

@@ -5,6 +5,36 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.3.0] - 2025-10-20
+- Android SDK version: 17.0.0
+- iOS SDK version: 6.13.0
+
+### Flutter
+
+#### Added
+- Added `killOnBypass` to `TalsecConfig` that configures if the app should be terminated when the threat callbacks are suppressed/hooked by an attacker (Android only) ([Issue 65](https://github.com/talsec/Free-RASP-Android/issues/65))
+- Added `onTimeSpoofing` callback to `ThreatCallback` for handling `Threat.timeSpoofing` threat (Android only)
+  - We are introducing a new capability, detecting whether the device time has been tampered with
+- Added `onLocationSpoofing` callback to `ThreatCallback` for handling `Threat.locationSpoofing` threat (Android only)
+  - We are introducing a new capability, detecting whether the location is being spoofed on the device.
+- Added `onUnsecureWifi` callback to `ThreatCallback` for handling `Threat.unsecureWifi` threat (Android only)
+  - We are introducing a new capability, detecting whether the device is connected to an unsecured Wi-Fi network.
+- Added `onAllChecksDone` callback to new `RaspExecutionStateCallback`
+  - We are introducing a new callback that notifies when all security checks have been completed.
+
+### Android
+
+#### Removed
+- Removed deprecated functionality `Pbkdf2Native` and both related native libraries (`libpbkdf2_native.so` and `libpolarssl.so`)
+
+#### Changed
+- Updated internal dependencies
+
+### iOS
+
+#### Changed
+- Updated internal dependencies
+
 ## [7.2.2] - 2025-10-09
 - iOS SDK version: 6.12.1
 - Android SDK version: 16.0.1

analysis_options.yaml

@@ -1,5 +1,7 @@
 include: package:very_good_analysis/analysis_options.yaml
 
 analyzer:
+  errors:
+    document_ignores: false
   exclude:
     - '**/*.g.dart'

android/build.gradle

@@ -3,7 +3,7 @@ version '1.0-SNAPSHOT'
 
 buildscript {
     ext.kotlin_version = '2.1.0'
-    ext.talsec_version = '16.0.1'
+    ext.talsec_version = '17.0.0'
     repositories {
         google()
         mavenCentral()

android/src/main/kotlin/com/aheaditec/freerasp/Threat.kt

@@ -39,4 +39,10 @@ internal sealed class Threat(val value: Int) {
     object ScreenRecording : Threat(64690214)
 
     object MultiInstance : Threat(859307284)
+
+    object UnsecureWiFi : Threat(363588890)
+
+    object TimeSpoofing : Threat(189105221)
+
+    object LocationSpoofing : Threat(653273273)
 }

android/src/main/kotlin/com/aheaditec/freerasp/Utils.kt

@@ -31,6 +31,7 @@ internal object Utils {
 
         val watcherMail = json.getString("watcherMail")
         val isProd = json.getBoolean("isProd")
+        val killOnBypass = json.optBoolean("killOnBypass")
         val androidConfig = json.getJSONObject("androidConfig")
         val packageName = androidConfig.getString("packageName")
         val certificateHashes = androidConfig.extractArray<String>("signingCertHashes")
@@ -41,6 +42,7 @@ internal object Utils {
             .watcherMail(watcherMail)
             .supportedAlternativeStores(alternativeStores)
             .prod(isProd)
+            .killOnBypass(killOnBypass)
             .blacklistedPackageNames(malwareConfig.blacklistedPackageNames)
             .blacklistedHashes(malwareConfig.blacklistedHashes)
             .suspiciousPermissions(malwareConfig.suspiciousPermissions)

android/src/main/kotlin/com/aheaditec/freerasp/generated/RaspExecutionState.kt

@@ -0,0 +1,53 @@
+// Autogenerated from Pigeon (v22.7.4), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
+
+package com.aheaditec.freerasp.generated
+
+import android.util.Log
+import io.flutter.plugin.common.BasicMessageChannel
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.EventChannel
+import io.flutter.plugin.common.MessageCodec
+import io.flutter.plugin.common.StandardMethodCodec
+import io.flutter.plugin.common.StandardMessageCodec
+import java.io.ByteArrayOutputStream
+import java.nio.ByteBuffer
+
+private fun createConnectionError(channelName: String): FlutterError {
+  return FlutterError("channel-error",  "Unable to establish connection on channel: '$channelName'.", "")}
+private open class RaspExecutionStatePigeonCodec : StandardMessageCodec() {
+  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
+    return     super.readValueOfType(type, buffer)
+  }
+  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
+    super.writeValue(stream, value)
+  }
+}
+
+/** Generated class from Pigeon that represents Flutter messages that can be called from Kotlin. */
+class RaspExecutionState(private val binaryMessenger: BinaryMessenger, private val messageChannelSuffix: String = "") {
+  companion object {
+    /** The codec used by RaspExecutionState. */
+    val codec: MessageCodec<Any?> by lazy {
+      RaspExecutionStatePigeonCodec()
+    }
+  }
+  fun onAllChecksFinished(callback: (Result<Unit>) -> Unit)
+{
+    val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
+    val channelName = "dev.flutter.pigeon.freerasp.RaspExecutionState.onAllChecksFinished$separatedMessageChannelSuffix"
+    val channel = BasicMessageChannel<Any?>(binaryMessenger, channelName, codec)
+    channel.send(null) {
+      if (it is List<*>) {
+        if (it.size > 1) {
+          callback(Result.failure(FlutterError(it[0] as String, it[1] as String, it[2] as String?)))
+        } else {
+          callback(Result.success(Unit))
+        }
+      } else {
+        callback(Result.failure(createConnectionError(channelName)))
+      } 
+    }
+  }
+}

android/src/main/kotlin/com/aheaditec/freerasp/generated/TalsecPigeonApi.kt

@@ -1,12 +1,15 @@
-// Autogenerated from Pigeon (v22.4.0), do not edit directly.
+// Autogenerated from Pigeon (v22.7.4), do not edit directly.
 // See also: https://pub.dev/packages/pigeon
 @file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
 
 package com.aheaditec.freerasp.generated
 
+import android.util.Log
 import io.flutter.plugin.common.BasicMessageChannel
 import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.EventChannel
 import io.flutter.plugin.common.MessageCodec
+import io.flutter.plugin.common.StandardMethodCodec
 import io.flutter.plugin.common.StandardMessageCodec
 import java.io.ByteArrayOutputStream
 import java.nio.ByteBuffer

android/src/main/kotlin/com/aheaditec/freerasp/handlers/MethodCallHandler.kt

@@ -8,8 +8,9 @@ import android.os.Looper
 import androidx.lifecycle.Lifecycle
 import androidx.lifecycle.LifecycleEventObserver
 import androidx.lifecycle.LifecycleOwner
-import com.aheaditec.freerasp.runResultCatching
 import com.aheaditec.freerasp.Utils
+import com.aheaditec.freerasp.generated.RaspExecutionState
+import com.aheaditec.freerasp.runResultCatching
 import com.aheaditec.freerasp.generated.TalsecPigeonApi
 import com.aheaditec.freerasp.toPigeon
 import com.aheaditec.talsec_security.security.api.SuspiciousAppInfo
@@ -26,7 +27,8 @@ import io.flutter.plugin.common.MethodChannel.MethodCallHandler
 internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
     private var context: Context? = null
     private var methodChannel: MethodChannel? = null
-    private var pigeonApi: TalsecPigeonApi? = null
+    private var talsecPigeon: TalsecPigeonApi? = null
+    private var raspExecutionPigeon : RaspExecutionState? = null
     private val backgroundHandlerThread = HandlerThread("BackgroundThread").apply { start() }
     private val backgroundHandler = Handler(backgroundHandlerThread.looper)
     private val mainHandler = Handler(Looper.getMainLooper())
@@ -41,7 +43,7 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
         override fun onMalwareDetected(packageInfo: List<SuspiciousAppInfo>) {
             context?.let { context ->
                 val pigeonPackageInfo = packageInfo.map { it.toPigeon(context) }
-                pigeonApi?.onMalwareDetected(pigeonPackageInfo) { result ->
+                talsecPigeon?.onMalwareDetected(pigeonPackageInfo) { result ->
                     // Parse the result (which is Unit so we can ignore it) or throw an exception
                     // Exceptions are translated to Flutter errors automatically
                     result.getOrElse {
@@ -51,10 +53,22 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
                 }
             }
         }
+
+        override fun onAllChecksFinished() {
+            raspExecutionPigeon?.onAllChecksFinished { result ->
+                // Parse the result (which is Unit so we can ignore it) or throw an exception
+                // Exceptions are translated to Flutter errors automatically
+                result.getOrElse {
+                    Log.e("MethodCallHandlerSink", "Result ended with failure")
+                    throw it
+                }
+            }
+        }
     }
 
     internal interface MethodSink {
         fun onMalwareDetected(packageInfo: List<SuspiciousAppInfo>)
+        fun onAllChecksFinished()
     }
 
     /**
@@ -76,7 +90,8 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
         }
 
         this.context = context
-        this.pigeonApi = TalsecPigeonApi(messenger)
+        this.talsecPigeon = TalsecPigeonApi(messenger)
+        this.raspExecutionPigeon = RaspExecutionState(messenger)
 
         TalsecThreatHandler.attachMethodSink(sink)
     }
@@ -89,7 +104,8 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
         methodChannel = null
 
         this.context = null
-        this.pigeonApi = null
+        this.talsecPigeon = null
+        this.raspExecutionPigeon = null
 
         TalsecThreatHandler.detachMethodSink()
     }
@@ -184,9 +200,13 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
      */
     private fun blockScreenCapture(call: MethodCall, result: MethodChannel.Result) {
         runResultCatching(result) {
-            val enable = call.argument<Boolean>("enable") ?: false
-            Talsec.blockScreenCapture(activity, enable)
-            result.success(null)
+            val enable = call.argument<Boolean>("enable") ?: throw NullPointerException("Enable flag cannot be null.")
+            activity?.let {
+                Talsec.blockScreenCapture(it, enable)
+                result.success(null)
+                return@runResultCatching
+            }
+            throw IllegalStateException("Unable to block screen capture - context is null")
         }
     }
 
@@ -209,9 +229,13 @@ internal class MethodCallHandler : MethodCallHandler, LifecycleEventObserver {
      */
     private fun storeExternalId(call: MethodCall, result: MethodChannel.Result) {
         runResultCatching(result) {
-            val data = call.argument<String>("data")
-            Talsec.storeExternalId(context, data)
-            result.success(null)
+            context?.let {
+                val data = call.argument<String>("data") ?: throw NullPointerException("External ID data cannot be null.")
+                Talsec.storeExternalId(it, data)
+                result.success(null)
+                return@runResultCatching
+            }
+            throw IllegalStateException("Unable to store external ID - context is null")
         }
     }
 }

android/src/main/kotlin/com/aheaditec/freerasp/handlers/PluginThreatHandler.kt

@@ -5,6 +5,7 @@ import com.aheaditec.freerasp.Threat
 import com.aheaditec.talsec_security.security.api.SuspiciousAppInfo
 import com.aheaditec.talsec_security.security.api.ThreatListener
 import com.aheaditec.talsec_security.security.api.ThreatListener.DeviceState
+import com.aheaditec.talsec_security.security.api.ThreatListener.RaspExecutionState
 import com.aheaditec.talsec_security.security.api.ThreatListener.ThreatDetected
 
 /**
@@ -13,12 +14,13 @@ import com.aheaditec.talsec_security.security.api.ThreatListener.ThreatDetected
  * The object provides methods to register a listener for threat notifications and notifies the
  * listener when a security threat is detected.
  */
-internal object PluginThreatHandler : ThreatDetected, DeviceState {
+internal object PluginThreatHandler : ThreatDetected, DeviceState, RaspExecutionState() {
     internal val detectedThreats = mutableSetOf<Threat>()
     internal val detectedMalware = mutableListOf<SuspiciousAppInfo>()
+    internal var shouldNotifyAllChecksFinished = false
 
     internal var listener: TalsecFlutter? = null
-    private val internalListener = ThreatListener(this, this)
+    private val internalListener = ThreatListener(this, this, this)
 
     internal fun registerListener(context: Context) {
         internalListener.registerListener(context)
@@ -28,6 +30,10 @@ internal object PluginThreatHandler : ThreatDetected, DeviceState {
         internalListener.unregisterListener(context)
     }
 
+    override fun onAllChecksFinished() {
+        notifyAllChecksFinished()
+    }
+
     override fun onRootDetected() {
         notify(Threat.PrivilegedAccess)
     }
@@ -96,6 +102,18 @@ internal object PluginThreatHandler : ThreatDetected, DeviceState {
         notify(Threat.MultiInstance)
     }
 
+    override fun onUnsecureWifiDetected() {
+        notify(Threat.UnsecureWiFi)
+    }
+
+    override fun onTimeSpoofingDetected() {
+        notify(Threat.TimeSpoofing)
+    }
+
+    override fun onLocationSpoofingDetected() {
+        notify(Threat.LocationSpoofing)
+    }
+
     private fun notify(threat: Threat) {
         listener?.threatDetected(threat) ?: detectedThreats.add(threat)
     }
@@ -104,9 +122,15 @@ internal object PluginThreatHandler : ThreatDetected, DeviceState {
         listener?.malwareDetected(suspiciousApps) ?: detectedMalware.addAll(suspiciousApps)
     }
 
+    private fun notifyAllChecksFinished() {
+        listener?.allChecksFinished() ?: run { shouldNotifyAllChecksFinished = true }
+    }
+
     internal interface TalsecFlutter {
         fun threatDetected(threatType: Threat)
 
         fun malwareDetected(suspiciousApps: List<SuspiciousAppInfo>)
+
+        fun allChecksFinished()
     }
 }