Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] fix: Security audit #1702

Closed
wants to merge 175 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
175 commits
Select commit Hold shift + click to select a range
f780430
fix: masking seeds, showing time out
phuocbitmark Mar 18, 2024
5cca695
fix: fix page name
phuocbitmark Mar 18, 2024
2b4cd6d
checkout mount
phuocbitmark Mar 18, 2024
18dd8f7
feat: hide, unhide icon
phuocbitmark Mar 18, 2024
81549f7
feat: set secure_flag for recovery page (#1586)
phuocbitmark Mar 18, 2024
e2e4a75
update encyprtion key & restore flow (#1584)
hvthhien Mar 18, 2024
c2f57e9
fix: update import address ui
phuocbitmark Mar 19, 2024
58cb9fa
Merge pull request #1585 from bitmark-inc/masking_seeds
phuocbitmark Mar 19, 2024
0689a1b
feat: enable minify and shrink resource
phuocbitmark Mar 19, 2024
3196eaa
Merge pull request #1590 from bitmark-inc/minify_shrink
phuocbitmark Mar 19, 2024
8edfa63
fix(security_audit): clear data when forget i exist (#1589)
ppupha Mar 19, 2024
329778a
fix: textfield cache, disable suggestion
phuocbitmark Mar 22, 2024
4e43376
fix: prevent 3rd party keyboard keyboard ios (#1591)
phuocbitmark Mar 25, 2024
afcc768
fix: imporve breadcrumb (#1593)
phuocbitmark Mar 25, 2024
3f6b991
fix: update license for liauk.swift and tezart
phuocbitmark Mar 25, 2024
ba6e4c6
Merge pull request #1596 from bitmark-inc/update_license
phuocbitmark Mar 25, 2024
aedc88c
fix: change log type to avoid adding to breadcumb
phuocbitmark Mar 25, 2024
42f92b4
Merge pull request #1598 from bitmark-inc/reduce_breadcumb
phuocbitmark Mar 25, 2024
3869507
fix: fallback hex encoded string for malform utf8 (#1597)
hvthhien Mar 25, 2024
fe30d66
fix: android delete keys when forget i exist (#1595)
ppupha Mar 25, 2024
1bc8543
fix: ios hide sensitive dât when background (#1599)
ppupha Mar 25, 2024
44447da
fix: encript env, decrypt when app run
phuocbitmark Mar 26, 2024
0f594df
add import
phuocbitmark Mar 26, 2024
ce1a40f
Merge pull request #1601 from bitmark-inc/add_import
phuocbitmark Mar 26, 2024
ab28543
Merge branch 'security_audit' into encrypt_env_secret
phuocbitmark Mar 26, 2024
4c8b7ec
fix: fix migrate env key
phuocbitmark Mar 26, 2024
27cfbd6
update android build ci
phuocbitmark Mar 27, 2024
018246d
add encrypt script for deploy files
phuocbitmark Mar 27, 2024
5578496
add missing ios files
hvthhien Mar 27, 2024
b5f9431
add SecureChannelHandler to xcodeproj
hvthhien Mar 27, 2024
2d71fc6
Add report action in signMessage/sendTransaction page
hoangbtmrk Mar 27, 2024
500bfd8
commit assets
hoangbtmrk Mar 27, 2024
7a79308
commit assets
hoangbtmrk Mar 27, 2024
851d922
separete env
phuocbitmark Mar 28, 2024
c62336e
dispose textEditingController
hoangbtmrk Mar 28, 2024
41fbeef
use .env.secret to temporarily store secret, update readme
phuocbitmark Mar 28, 2024
1454489
Add protocol handler for webview
hoangbtmrk Mar 28, 2024
a9da8a1
refactor folder
phuocbitmark Mar 28, 2024
cef7f92
clear cache at dispose webview page
phuocbitmark Mar 29, 2024
82fbfe2
not to remove env.secret
phuocbitmark Mar 29, 2024
360df87
Merge branch 'security_audit' into encrypt_env_secret
phuocbitmark Mar 29, 2024
94048b3
refactor
phuocbitmark Mar 29, 2024
7bba15d
fix script path
phuocbitmark Mar 29, 2024
4592cce
update asset
hoangbtmrk Mar 29, 2024
2332c9f
Merge pull request #1605 from bitmark-inc/add-protocol-handler-for-we…
hoangbtmrk Mar 29, 2024
6819d25
Merge pull request #1604 from bitmark-inc/security-12/add-report-button
hoangbtmrk Mar 29, 2024
973580c
Connect page: Add untrusted dApps warning
hoangbtmrk Mar 26, 2024
de0875e
Update warining text font-size
hoangbtmrk Mar 27, 2024
a368677
Update setState flow
hoangbtmrk Mar 28, 2024
33718aa
Fix bug get denyDAppUrls
hoangbtmrk Mar 29, 2024
24da82a
Merge pull request #1602 from bitmark-inc/warning_untrusted_dApps
hoangbtmrk Mar 29, 2024
f1576d5
Merge pull request #1600 from bitmark-inc/encrypt_env_secret
phuocbitmark Mar 29, 2024
8baccfb
set hide overlay
phuocbitmark Mar 29, 2024
03d6346
Merge pull request #1608 from bitmark-inc/hide_overlay
phuocbitmark Apr 1, 2024
ad56db1
Merge pull request #1607 from bitmark-inc/manage_webview_storage
phuocbitmark Apr 1, 2024
8d6f645
fix(security audit): 14 educate importance recovery phrase (#1610)
ppupha Apr 2, 2024
72bef76
Censored application log
hoangbtmrk Apr 2, 2024
0081a98
Censored logs: use Redacted instead of ***
hoangbtmrk Apr 2, 2024
f432805
Merge branch 'develop' into security_audit
phuocbitmark Apr 3, 2024
27d30e9
Censored logs: Add filter signature
hoangbtmrk Apr 3, 2024
edd153a
Censored logs: Add filter JWT token
hoangbtmrk Apr 3, 2024
1e6d0e6
Merge pull request #1611 from bitmark-inc/security-35/application-logs
hoangbtmrk Apr 3, 2024
4c35bce
feat: switch from webview to custom tab
phuocbitmark Apr 3, 2024
cc778dd
Update build gradle (#1614)
hoangbtmrk Apr 3, 2024
5dc82be
fix: migrate inapp webview
phuocbitmark Apr 3, 2024
2c3644e
Merge pull request #1615 from bitmark-inc/migrate_webview
phuocbitmark Apr 4, 2024
2c86cf1
feat: check certificate fingerprint
phuocbitmark Apr 4, 2024
b0e115c
Merge pull request #1616 from bitmark-inc/custome_tab
phuocbitmark Apr 4, 2024
2f80547
fix: getHeadUrl
phuocbitmark Apr 4, 2024
d2e6586
feat: deny android rooted device
phuocbitmark Apr 9, 2024
eb5e363
Merge branch 'security_audit' into ssl_fingerprints
phuocbitmark Apr 9, 2024
5e4875d
feat: navigate to report bug if ssl check fail
phuocbitmark Apr 9, 2024
2d40240
fix: add prefix to message to sign (#1621)
ppupha Apr 9, 2024
6b2436b
Merge pull request #1617 from bitmark-inc/ssl_fingerprints
phuocbitmark Apr 9, 2024
8f5e464
prevent jailbreak ios
phuocbitmark Apr 9, 2024
42975e4
feat: deny debugger
phuocbitmark Apr 9, 2024
7f0dc02
fix: apply advance debugger check
phuocbitmark Apr 10, 2024
bced450
Merge pull request #1619 from bitmark-inc/root_jailbreak
phuocbitmark Apr 10, 2024
4d8bd27
update default message text when check ssl fail
phuocbitmark Apr 10, 2024
c99aba2
Merge pull request #1623 from bitmark-inc/update_assets
phuocbitmark Apr 10, 2024
211d4f2
fix(android): debugger detected (#1622)
ppupha Apr 10, 2024
ebb6ab8
Merge pull request #1594 from bitmark-inc/fix_cache_textfield
phuocbitmark Apr 10, 2024
d19a867
fix: Verify signing certificate (#1624)
ppupha Apr 11, 2024
1809415
fix: accessibility protection (#1627)
ppupha Apr 12, 2024
869039e
feat: check reverse and emulator in iOS
phuocbitmark Apr 15, 2024
d0bf4bb
detect reverse android
phuocbitmark Apr 15, 2024
a9e56b8
feat: check bundleId ios
phuocbitmark Apr 16, 2024
1a2f490
remove check emulator
phuocbitmark Apr 16, 2024
614e0bf
Merge pull request #1630 from bitmark-inc/integrity_check
phuocbitmark Apr 17, 2024
95b66cd
Merge branch 'security_audit' into reverse_engi
phuocbitmark Apr 17, 2024
e55c465
Merge pull request #1629 from bitmark-inc/reverse_engi
phuocbitmark Apr 17, 2024
6121021
feat: track device authen fail multiple times
phuocbitmark Apr 17, 2024
0a304e0
Supoprt two factor for mnemonic
hoangbtmrk Apr 5, 2024
6ac4864
Support mnemonic two factor
hoangbtmrk Apr 11, 2024
bb524c0
Update libauk-swift revision
hoangbtmrk Apr 11, 2024
859fb3e
Revert "Update libauk-swift revision"
hoangbtmrk Apr 11, 2024
3c908f1
Update libauk-swift revision
hoangbtmrk Apr 11, 2024
676e9f2
Create object RecoveryPhrasePayload
hoangbtmrk Apr 12, 2024
173e86e
Remove comment
hoangbtmrk Apr 12, 2024
ead2fff
Move calculateFirstEthAddress function to LibAukDart class
hoangbtmrk Apr 12, 2024
4021e72
refactor: use passphrase instead of password
hoangbtmrk Apr 16, 2024
602d2ab
fix: include passphrase when backup android key
hoangbtmrk Apr 16, 2024
df5cb69
fix: update UI for passphrase
hoangbtmrk Apr 17, 2024
1b50716
feat: upgrade package feralfile_app_theme
hoangbtmrk Apr 17, 2024
b7cc74c
feat: change import seed ui
phuocbitmark Apr 19, 2024
6402a8f
feat: update libauk-kotlin version
hoangbtmrk Apr 19, 2024
3b2dafe
feat: update libauk-swift version
hoangbtmrk Apr 19, 2024
c8375f3
Merge pull request #1625 from bitmark-inc/add-support-two-factor-mnem…
hoangbtmrk Apr 19, 2024
3096848
feat: update libauk version
hoangbtmrk Apr 22, 2024
59b74dc
feat: update assets commit hash
hoangbtmrk Apr 22, 2024
8b06ef1
feat: capture sentry event for security check fails
phuocbitmark Apr 22, 2024
bd3d33f
feat: capture sentry event for security check fails
phuocbitmark Apr 22, 2024
129d13e
feat: capture sentry event for security check fails
phuocbitmark Apr 22, 2024
04c5387
fix: update android Set env workflow
hoangbtmrk Apr 22, 2024
b023d1a
Merge pull request #1635 from bitmark-inc/fix-create-env-workflow
hoangbtmrk Apr 22, 2024
4a80c5a
Merge branch 'security_audit' into track_security_event
phuocbitmark Apr 23, 2024
b82fdae
feat: capture sentry event for decrypt fail
phuocbitmark Apr 23, 2024
fe01d16
capture exeption
phuocbitmark Apr 23, 2024
e72cdf9
feat: skip checking certificate for localhost
phuocbitmark Apr 23, 2024
6a5f816
Merge pull request #1640 from bitmark-inc/skip_ssl_local
phuocbitmark Apr 23, 2024
183df5d
fix: allow cleartext for localhost only
hoangbtmrk Apr 19, 2024
efa429f
fix: file rename
hoangbtmrk Apr 19, 2024
41665b0
fix: allow cleartext for localhost only
hoangbtmrk Apr 22, 2024
a464563
Merge pull request #1632 from bitmark-inc/56-do-not-allow-cleartext-H…
hoangbtmrk Apr 24, 2024
3cd10ab
Merge branch 'develop' into security_audit
phuocbitmark Apr 24, 2024
26d0078
Merge branch 'security_audit' into track_security_event
phuocbitmark Apr 24, 2024
83931f6
Merge pull request #1631 from bitmark-inc/track_security_event
phuocbitmark Apr 24, 2024
69010d6
Merge branch 'security_audit' into import_mnemonic_ui
phuocbitmark Apr 24, 2024
3b03017
fix: Load mnemonics in memory on the recovery page instead of wallet …
phuocbitmark Apr 24, 2024
044b252
Merge pull request #1646 from bitmark-inc/load_mnemonics
phuocbitmark Apr 24, 2024
8bf2542
Merge pull request #1644 from bitmark-inc/import_mnemonic_ui
phuocbitmark Apr 24, 2024
ba8a3a0
feat: implement connection revocation for WC
hoangbtmrk Apr 24, 2024
f3a056e
fix: check nullsafety
hoangbtmrk Apr 25, 2024
4ce5228
fix: check for inactive topic at init wc2 client
phuocbitmark Apr 26, 2024
268b555
Merge pull request #1649 from bitmark-inc/Improve-connection-revocation
hoangbtmrk Apr 26, 2024
db1ce79
fix: fix show recovery phrase while scrolling
phuocbitmark May 3, 2024
d9e145e
feat: remove backdropFilter
phuocbitmark May 4, 2024
cb6e1e8
feat: white out password
phuocbitmark May 7, 2024
c4fe188
Merge pull request #1659 from bitmark-inc/recovery_phrase_scrolling
phuocbitmark May 8, 2024
9e2f82d
fix(security_audit): 1_ Biometric is not event-bound (#1613)
ppupha May 16, 2024
57546c4
fix:ios: fix check inhouse and exit app method (#1686)
phuocbitmark May 16, 2024
9c013c8
fix: revert test
phuocbitmark May 16, 2024
c2550df
Merge pull request #1689 from bitmark-inc/sa/revert_test
phuocbitmark May 16, 2024
8766b4a
feat: add walletconnect validation by verifyAPI
hoangbtmrk May 21, 2024
d3e307b
feat: WC Verify the chainID if it's provided
hoangbtmrk May 22, 2024
dd29aa9
fix: remove denyDappUrls for wallet connect
hoangbtmrk May 22, 2024
00b5151
fix: display typed data message in user friendly form
hoangbtmrk May 22, 2024
9b4e479
Update Libauk-swift (#1701)
ppupha May 23, 2024
87a1c73
fix: 10 clear keys from backup (#1703)
ppupha May 23, 2024
7ebb601
Merge pull request #1705 from bitmark-inc/71/verify-the-chainID
hoangbtmrk May 23, 2024
7c0f3a1
Merge pull request #1706 from bitmark-inc/11/avoid-untrusted-dApps-in…
hoangbtmrk May 23, 2024
3abcab2
fix: frida default tcp port
phuocbitmark May 23, 2024
1586b00
Merge pull request #1709 from bitmark-inc/fix_frida_port
phuocbitmark May 23, 2024
a3abdb2
feat: use different github secret for env vars
phuocbitmark Jun 17, 2024
a4cc1f5
Merge pull request #1764 from bitmark-inc/env_vars
anhnguyenbitmark Jun 17, 2024
6df107e
fix cat env.secret
phuocbitmark Jun 17, 2024
48c37a6
Merge pull request #1768 from bitmark-inc/fix_cat_env
phuocbitmark Jun 17, 2024
0da9584
Merge branch 'develop' into security_audit
phuocbitmark Jul 10, 2024
e5b58ad
fix resolve conflict
phuocbitmark Jul 10, 2024
17494de
add comment
phuocbitmark Jul 10, 2024
c30a9c1
lint
phuocbitmark Jul 10, 2024
74689d0
lint
phuocbitmark Jul 10, 2024
810e133
Merge branch 'develop' into security_audit
phuocbitmark Jul 12, 2024
1a63cb2
Merge branch 'develop' into security_audit
phuocbitmark Jul 15, 2024
bbd4eee
Update libauk swift
ppupha Jul 16, 2024
2076a30
fix: migrate
ppupha Jul 18, 2024
1d9ee57
Sang/fix/security audit (#1836)
ppupha Jul 19, 2024
60beb42
fix: android restore: blockstore default key
ppupha Jul 24, 2024
be3208c
Merge branch 'develop' into security_audit
phuocbitmark Jul 29, 2024
62f5a72
Revert "fix: android restore: blockstore default key"
ppupha Aug 7, 2024
0104c22
Revert "Sang/fix/security audit (#1836)"
ppupha Aug 7, 2024
5d7919e
Revert "fix: migrate"
ppupha Aug 7, 2024
43f498f
Revert "Update libauk swift"
ppupha Aug 7, 2024
9615ded
Revert "fix(security_audit): 1_ Biometric is not event-bound (#1613)"
ppupha Aug 7, 2024
937ea21
Merge branch 'Sang/revert_bio_metric' into security_audit
ppupha Aug 7, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: android delete keys when forget i exist (#1595)
* fix: android delete keys when forget i exist

* Update
ppupha authored Mar 25, 2024
commit fe30d6626c89a914e857f16d4d864bc5dad6c329
Original file line number Diff line number Diff line change
@@ -17,11 +17,9 @@ import io.flutter.embedding.engine.FlutterEngine
import io.flutter.plugin.common.MethodCall
import io.flutter.plugin.common.MethodChannel
import io.reactivex.Completable
import io.reactivex.Observable
import io.reactivex.Single
import io.reactivex.disposables.CompositeDisposable
import kotlinx.serialization.SerialName
import kotlinx.serialization.Serializable
import java.util.*

class BackupDartPlugin : MethodChannel.MethodCallHandler {
@@ -47,6 +45,7 @@ class BackupDartPlugin : MethodChannel.MethodCallHandler {
"isEndToEndEncryptionAvailable" -> isEndToEndEncryptionAvailable(result)
"backupKeys" -> backupKeys(call, result)
"restoreKeys" -> restoreKeys(call, result)
"deleteKeys" -> deleteKeys(call, result)
else -> {
result.notImplemented()
}
@@ -168,6 +167,21 @@ class BackupDartPlugin : MethodChannel.MethodCallHandler {
result.error("restoreKey error", it.message, it)
}
}


private fun deleteKeys(call: MethodCall, result: MethodChannel.Result) {
// store empty bytes to blockstore
val storeBytesDataBuilder = StoreBytesData.Builder()
.setBytes(ByteArray(0))
client.storeBytes(storeBytesDataBuilder.build())
.addOnSuccessListener {
result.success("")
}
.addOnFailureListener { e ->
Log.e("BackupDartPlugin", e.message ?: "")
result.error("deleteKeys error", e.message, e)
}
}
}

@Serializable
1 change: 1 addition & 0 deletions lib/screen/settings/forget_exist/forget_exist_bloc.dart
Original file line number Diff line number Diff line change
@@ -76,6 +76,7 @@ class ForgetExistBloc extends AuBloc<ForgetExistEvent, ForgetExistState> {
await injector<CacheManager>().emptyCache();
await DefaultCacheManager().emptyCache();
await injector<KeychainService>().clearKeychainItems();
await injector<AccountService>().deleteAllKeys();

await FileLogger.clear();
await SentryBreadcrumbLogger.clear();
9 changes: 9 additions & 0 deletions lib/service/account_service.dart
Original file line number Diff line number Diff line change
@@ -57,6 +57,8 @@ abstract class AccountService {

Future androidBackupKeys();

Future deleteAllKeys();

Future<List<Connection>> removeDoubleViewOnly(List<String> addresses);

Future<bool?> isAndroidEndToEndEncryptionAvailable();
@@ -392,6 +394,13 @@ class AccountServiceImpl extends AccountService {
}
}

@override
Future deleteAllKeys() async {
if (Platform.isAndroid) {
await _backupChannel.deleteAllKeys();
}
}

@override
Future androidRestoreKeys() async {
if (Platform.isAndroid) {
8 changes: 8 additions & 0 deletions lib/util/android_backup_channel.dart
Original file line number Diff line number Diff line change
@@ -38,6 +38,14 @@ class AndroidBackupChannel {
return [];
}
}

Future deleteAllKeys() async {
try {
await _channel.invokeMethod('deleteKeys', {});
} catch (e) {
log.warning("Android cloud backup error", e);
}
}
}

class BackupData {