如何保护 Flutter 应用程序免受逆向工程
How to protect Flutter app from reverse engineering
我正在尝试使用 Flutter 开发支付应用程序,有什么方法可以保护我的应用程序 API 和 Tokens 或制作应用程序逆向工程证明。
I am trying to develop a payment application using Flutter, is there any way to protect my application API's and Tokens or make app reverse engineering proof.
如果您正在寻找防弹解决方案,它们可以 100% 有效地防止对移动应用程序二进制文件进行逆向工程以从中提取令牌或秘密,那么我必须告诉您,不幸的是,这是不可能实现的,但你可以让它变得更难......它有多难将取决于你愿意为你的用例投入或法律要求的努力和资源。
另一方面,保护移动设备 API 不被他人访问,然后您的移动应用程序的真实实例可以非常自信地实现。
从移动应用程序中提取 API 密钥有多容易?
使用大量 Open-Source 工具可以很容易地对移动应用程序二进制文件进行逆向工程以从中提取 API 令牌,正如我在文章 How to Extract an API key from a Mobile App with Static Binary Analysis 中演示的那样:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
或者,可以使用中间人 (MitM) 攻击来提取相同的 API 密钥,为此,我们还有 Open-Source 工具,例如我在其中演示的 mitmproxy我的文章 Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
防御逆向工程
逆向工程是一个很大的话题,您可以通过阅读 OWASP 移动安全测试指南 (MSTG) Github 存储库中的降价文件 0x04c-Tampering-and-Reverse-Engineering.md 了解更多关于逆向工程中使用的技术).
您无法使移动应用 100% 逆向工程证明,但您可以使用很多强化代码技术来使其更加困难 and/or 使用一些运行时 self-protection 机制,又名 RASP:
Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.
您可以在 OWASP MSTG 存储库中阅读一些可能的 anti-reversing 防御措施:
- Android - 0x05j-Testing-Resiliency-Against-Reverse-Engineering.md
- iOS - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
因此,这些都是在 client-side 中做出决策的方法,因此很容易被使用检测框架绕过,例如 Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
我告诉你使用它们毫无价值吗?不,相反,你应该尽可能多地增加防御层,就像过去几个世纪的城堡所做的那样,以防止敌人突破外层防御层。
访问 API 服务器的 WHO 和 WHAT 的区别
在我深入探讨如何保护您的 API 服务器之前,我想首先澄清一个误解,这个误解通常是我在任何资历的开发人员中发现的,即关于 who 之间的区别 和 什么 正在访问 API 服务器。
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An API Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,考虑 who 作为用户,您的 API 服务器将能够验证和授权对数据的访问,并考虑 what 作为代表用户发出该请求的软件。
将 API 服务器锁定到移动应用程序
因此,任何在 client-side 上运行并需要一些秘密才能访问 API 服务器的东西都可能以不同的方式被滥用,您可以在 this series 的文章中了解更多关于移动 API 安全技术。本文将教您如何使用 API 密钥、用户访问令牌、HMAC 和 TLS Pinning 来保护 API 以及如何绕过它们。
要解决 什么 正在访问您的移动应用程序的问题,您需要使用移动 API 安全技术系列文章中提到的一种或所有解决方案我在上面提到并承认他们只能使未经授权访问您的 API 服务器更难绕过,但并非不可能。
可以采用一种更好的方法,即使用移动应用证明解决方案,使 API 服务器能够以非常高的置信度知道它只响应来自真实移动应用的请求。我建议您阅读 我提出的问题 How to secure an API REST for mobile app?,其中有更多详细信息。
您想加倍努力吗?
在回答安全问题时,我总是喜欢引用 OWASP 基金会的优秀作品。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
很遗憾,你不能。如果您将“秘密”分发给用户,则无法保护其免受逆向工程。考虑这一点的最简单方法是专门的逆向工程师将能够完美地模拟您采取的任何加密、混淆或其他措施。如果您不希望用户拥有某些东西(例如秘密令牌、密码、密钥等),请不要将其分发给他们。
逆向工程保护是一项艰巨的任务,因为您必须涵盖 iOS 和 Android 世界细节。除非您决定实施自己的解决方案,否则还有各种库 (freeRASP, flutter_jailbreak_detection) 可以解决此问题。缺点是如果有人破解(例如 Frida 脚本、Magisk 插件)库,所有依赖它的应用程序也容易受到攻击。例如。许多逆向工程工具包已经包含了对流行的 RootBeer 库的绕过。如果您不能从头开始创建解决方案,您可以使用任何 RASP 库并在其上添加您的香料 - RE 保护应始终包含尽可能多的层。
免责声明:我为 freeRASP 做出贡献。
示例(使用 freeRASP):
// For Android
androidCallback: AndroidCallback(
onRootDetected: () => exit(0),
onEmulatorDetected: () => exit(0),
onFingerprintDetected: () => exit(0),
onHookDetected: () => exit(0),
onTamperDetected: () => exit(0),
),
// For iOS
IOSCallback: IOScallback(
onSignatureDetected: () => exit(0),
onRuntimeManipulationDetected: () => exit(0),
onJailbreakDetected: () => exit(0),
onPasscodeChangeDetected: () => exit(0),
onPasscodeDetected: () => exit(0),
onSimulatorDetected: () => exit(0),
onMissingSecureEnclaveDetected: () => exit(0),
),
// Common for both platforms
onDebuggerDetected: () => exit(0),
然而,攻击者可以找到(在本机 Android/iOS 代码中)底层检查方法并以静态和动态方式禁用它们。
我正在尝试使用 Flutter 开发支付应用程序,有什么方法可以保护我的应用程序 API 和 Tokens 或制作应用程序逆向工程证明。
I am trying to develop a payment application using Flutter, is there any way to protect my application API's and Tokens or make app reverse engineering proof.
如果您正在寻找防弹解决方案,它们可以 100% 有效地防止对移动应用程序二进制文件进行逆向工程以从中提取令牌或秘密,那么我必须告诉您,不幸的是,这是不可能实现的,但你可以让它变得更难......它有多难将取决于你愿意为你的用例投入或法律要求的努力和资源。
另一方面,保护移动设备 API 不被他人访问,然后您的移动应用程序的真实实例可以非常自信地实现。
从移动应用程序中提取 API 密钥有多容易?
使用大量 Open-Source 工具可以很容易地对移动应用程序二进制文件进行逆向工程以从中提取 API 令牌,正如我在文章 How to Extract an API key from a Mobile App with Static Binary Analysis 中演示的那样:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
或者,可以使用中间人 (MitM) 攻击来提取相同的 API 密钥,为此,我们还有 Open-Source 工具,例如我在其中演示的 mitmproxy我的文章 Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
防御逆向工程
逆向工程是一个很大的话题,您可以通过阅读 OWASP 移动安全测试指南 (MSTG) Github 存储库中的降价文件 0x04c-Tampering-and-Reverse-Engineering.md 了解更多关于逆向工程中使用的技术).
您无法使移动应用 100% 逆向工程证明,但您可以使用很多强化代码技术来使其更加困难 and/or 使用一些运行时 self-protection 机制,又名 RASP:
Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.
您可以在 OWASP MSTG 存储库中阅读一些可能的 anti-reversing 防御措施:
- Android - 0x05j-Testing-Resiliency-Against-Reverse-Engineering.md
- iOS - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
因此,这些都是在 client-side 中做出决策的方法,因此很容易被使用检测框架绕过,例如 Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
我告诉你使用它们毫无价值吗?不,相反,你应该尽可能多地增加防御层,就像过去几个世纪的城堡所做的那样,以防止敌人突破外层防御层。
访问 API 服务器的 WHO 和 WHAT 的区别
在我深入探讨如何保护您的 API 服务器之前,我想首先澄清一个误解,这个误解通常是我在任何资历的开发人员中发现的,即关于 who 之间的区别 和 什么 正在访问 API 服务器。
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An API Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,考虑 who 作为用户,您的 API 服务器将能够验证和授权对数据的访问,并考虑 what 作为代表用户发出该请求的软件。
将 API 服务器锁定到移动应用程序
因此,任何在 client-side 上运行并需要一些秘密才能访问 API 服务器的东西都可能以不同的方式被滥用,您可以在 this series 的文章中了解更多关于移动 API 安全技术。本文将教您如何使用 API 密钥、用户访问令牌、HMAC 和 TLS Pinning 来保护 API 以及如何绕过它们。
要解决 什么 正在访问您的移动应用程序的问题,您需要使用移动 API 安全技术系列文章中提到的一种或所有解决方案我在上面提到并承认他们只能使未经授权访问您的 API 服务器更难绕过,但并非不可能。
可以采用一种更好的方法,即使用移动应用证明解决方案,使 API 服务器能够以非常高的置信度知道它只响应来自真实移动应用的请求。我建议您阅读
您想加倍努力吗?
在回答安全问题时,我总是喜欢引用 OWASP 基金会的优秀作品。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
很遗憾,你不能。如果您将“秘密”分发给用户,则无法保护其免受逆向工程。考虑这一点的最简单方法是专门的逆向工程师将能够完美地模拟您采取的任何加密、混淆或其他措施。如果您不希望用户拥有某些东西(例如秘密令牌、密码、密钥等),请不要将其分发给他们。
逆向工程保护是一项艰巨的任务,因为您必须涵盖 iOS 和 Android 世界细节。除非您决定实施自己的解决方案,否则还有各种库 (freeRASP, flutter_jailbreak_detection) 可以解决此问题。缺点是如果有人破解(例如 Frida 脚本、Magisk 插件)库,所有依赖它的应用程序也容易受到攻击。例如。许多逆向工程工具包已经包含了对流行的 RootBeer 库的绕过。如果您不能从头开始创建解决方案,您可以使用任何 RASP 库并在其上添加您的香料 - RE 保护应始终包含尽可能多的层。
免责声明:我为 freeRASP 做出贡献。
示例(使用 freeRASP):
// For Android
androidCallback: AndroidCallback(
onRootDetected: () => exit(0),
onEmulatorDetected: () => exit(0),
onFingerprintDetected: () => exit(0),
onHookDetected: () => exit(0),
onTamperDetected: () => exit(0),
),
// For iOS
IOSCallback: IOScallback(
onSignatureDetected: () => exit(0),
onRuntimeManipulationDetected: () => exit(0),
onJailbreakDetected: () => exit(0),
onPasscodeChangeDetected: () => exit(0),
onPasscodeDetected: () => exit(0),
onSimulatorDetected: () => exit(0),
onMissingSecureEnclaveDetected: () => exit(0),
),
// Common for both platforms
onDebuggerDetected: () => exit(0),
然而,攻击者可以找到(在本机 Android/iOS 代码中)底层检查方法并以静态和动态方式禁用它们。