8000 obfuscation leaks build time location of plugin registrar script · Issue #165111 · flutter/flutter · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

obfuscation leaks build time location of plugin registrar script #165111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
git2321231 opened this issue Mar 13, 2025 · 14 comments
Open

obfuscation leaks build time location of plugin registrar script #165111

git2321231 opened this issue Mar 13, 2025 · 14 comments
Labels
a: build Building flutter applications with the tool found in release: 3.29 Found to occur in 3.29 found in release: 3.30 Found to occur in 3.30 has reproducible steps The issue has been confirmed reproducible and is ready to work on platform-ios iOS applications specifically team-ios Owned by iOS platform team waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds

Comments

@git2321231
Copy link
git2321231 commented Mar 13, 2025
edited
Loading

Steps to reproduce

1.Create a default Flutter demo project.
2.Use commands packaged into IPA:flutter build ipa --release --obfuscate --split-debug-info=build/ios/ipa
3.Analysis the IPA using some static analysis tools,such as MobSF(https://mobsf.live/).

Expected results

We should see that the static analysis tool cannot directly find the string code in the Demo project.

Actual results

There are several dart strings in Flutter's default demo project, such as "Flutter Demo"," Flutter Demo Home Page","You have pushed the button this many times:". If the Dart code is correctly obfuscated, you should not see these strings present in the static analysis tool's report. But unfortunately, it's easy to see them in the IPA package. Oddly enough, the Android APK package doesn't exist, so something is clearly wrong.

Image

Code sample

Flutter‘s default demo project:

Code sample 
import 'package:flutter/material.dart';

void main() {
  runApp(const MyApp());
}

class MyApp extends StatelessWidget {
  const MyApp({super.key});

  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Flutter Demo',
      theme: ThemeData(

        colorScheme: ColorScheme.fromSeed(seedColor: Colors.deepPurple),
        useMaterial3: true,
      ),
      home: const MyHomePage(title: 'Flutter Demo Home Page'),
    );
  }
}

class MyHomePage extends StatefulWidget {
  const MyHomePage({super.key, required this.title});

  final String title;

  @override
  State<MyHomePage> createState() => _MyHomePageState();
}

class _MyHomePageState extends State<MyHomePage> {
  int _counter = 0;

  void _incrementCounter() {
    setState(() {
   
      _counter++;
    });
  }

  @override
  Widget build(BuildContext context) {
   
    return Scaffold(
      appBar: AppBar(
    
        backgroundColor: Theme.of(context).colorScheme.inversePrimary,
     
        title: Text(widget.title),
      ),
      body: Center(
    
        child: Column(
    
          mainAxisAlignment: MainAxisAlignment.center,
          children: <Widget>[
            const Text(
              'You have pushed the button this many times:',
            ),
            Text(
              '$_counter',
              style: Theme.of(context).textTheme.headlineMedium,
            ),
          ],
        ),
      ),
      floatingActionButton: FloatingActionButton(
        onPressed: _incrementCounter,
        tooltip: 'Increment',
        child: const Icon(Icons.add),
      ), 
    );
  }
}

Screenshots or Video

Screenshots / Video demonstration

[Upload media here]

Logs

Logs 
[Paste your logs here]

Flutter Doctor output

Doctor output 
[✓] Flutter (Channel stable, 3.24.3, on macOS 15.2 24C101 darwin-arm64, locale zh-Hans-CN)
    • Flutter version 3.24.3 on channel stable at /Users/xxx/flutter_gitee/FlutterB/flutter
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 2663184aa7 (6 months ago), 2024-09-11 16:27:48 -0500
    • Engine revision 36335019a8
    • Dart version 3.5.3
    • DevTools version 2.37.3
    • Pub download mirror https://pub.dev
    • Flutter download mirror https://storage.flutter-io.cn

[✓] Android toolchain - develop for Android devices (Android SDK version 35.0.0)
    • Android SDK at /Users/xxx/Library/Android/sdk
    • Platform android-35, build-tools 35.0.0
    • Java binary at: /Users/xxx/Library/Java/JavaVirtualMachines/jbr-17.0.8/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment JBR-17.0.8+7-1000.22-nomod (build 17.0.8+7-b1000.22)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 16.2)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 16C5032a
    • CocoaPods version 1.15.2

[✓] Android Studio (version 2023.3)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)

[✓] VS Code (version 1.98.0)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.107.20250303

[✓] Connected device (4 available)
    • sdk gphone64 arm64 (mobile)     • emulator-5554                        • android-arm64 • Android 13 (API 33) (emulator)
    • iPhone 16 Pro Max (mobile)      • 30DCB973-D365-43B3-B794-17B6F87F56B2 • ios           • com.apple.CoreSimulator.SimRuntime.iOS-18-2 (simulator)
    • iPad Pro 11-inch (M4) (mobile)  • 999A5313-166E-4024-A82D-0743B9F4AA90 • ios           • com.apple.CoreSimulator.SimRuntime.iOS-18-2 (simulator)
    • Mac Designed for iPad (desktop) • mac-designed-for-ipad                • darwin        • macOS 15.2 24C101 darwin-arm64
    ! Error: Browsing on the local area network for Eric的iPhone 13 Pro Max. Ensure the device is unlocked and attached with a cable or associated with the same local area network as this Mac.
      The device must be opted into Developer Mode to connect wirelessly. (code -27)

[✓] Network resources
    • All expected network resources are available.

• No issues found!

Additional Information:
Ios/Flutter/Generated. Xcconfig seems to be correct:

// This is a generated file; do not edit or check into version control.
FLUTTER_ROOT=/Users/xxx/flutter_gitee/FlutterB/flutter
FLUTTER_APPLICATION_PATH=/Users/xxx/Documents/flutter/obfuscation_test
COCOAPODS_PARALLEL_CODE_SIGN=true
FLUTTER_TARGET=lib/main.dart
FLUTTER_BUILD_DIR=build
FLUTTER_BUILD_NAME=1.0.0
FLUTTER_BUILD_NUMBER=1
EXCLUDED_ARCHS[sdk=iphonesimulator*]=i386
EXCLUDED_ARCHS[sdk=iphoneos*]=armv7
DART_OBFUSCATION=true
SPLIT_DEBUG_INFO=build/ios/ipa
TRACK_WIDGET_CREATION=false
TREE_SHAKE_ICONS=true
PACKAGE_CONFIG=/Users/xxx/Documents/flutter/obfuscation_test/.dart_tool/package_config.json
@darshankawar darshankawar added the in triage Presently being triaged by the triage team label Mar 13, 2025
@darshankawar
Copy link
Member

such as MobSF(https://mobsf.live/).

@git2321231 Did you upload the /Runner.xcarchive generated after running the said command ?
I tried the same but it says invalid zip file.

Also, can you try to run your scenario on latest stable to check if it still persist ?

@darshankawar darshankawar added the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Mar 13, 2025
@git2321231
Copy link
Author

@darshankawar
MobSF requires an IPA file for upload rather than an xcarchive. Just use "flutter build ipa --obfuscate --split-debug-info=build/ios/ipa" command to make a IPA file.

Accessing MobSF online can be a bit slow. A simple solution is to deploy it locally using Docker.

I checked this issue on Flutter 3.29.0 and it still exists.I believe this issue may affect all versions, unless there is a debate over whether Flutter should obfuscate strings. However, I am confident that this is indeed a problem, as it is properly obfuscated on Android.

[!] Flutter (Channel stable, 3.29.0, on macOS 15.2 24C101 darwin-arm64, locale zh-Hans-CN) [835ms]
    • Flutter version 3.29.0 on channel stable at /Users/xxx/flutter_gitee/FlutterC/Flutter
    ! Warning: `flutter` on your path resolves to /Users/xxx/flutter_gitee/FlutterB/flutter/bin/flutter, which is not inside your current Flutter SDK
      checkout at /Users/xxx/flutter_gitee/FlutterC/Flutter. Consider adding /Users/xxx/flutter_gitee/FlutterC/Flutter/bin to the front of your path.
    ! Warning: `dart` on your path resolves to /Users/xxx/flutter_gitee/FlutterB/flutter/bin/dart, which is not inside your current Flutter SDK checkout
      at /Users/xxx/flutter_gitee/FlutterC/Flutter. Consider adding /Users/xxx/flutter_gitee/FlutterC/Flutter/bin to the front of your path.
    ! Upstream repository https://gitee.com/mirrors/Flutter.git is not a standard remote.
      Set environment variable "FLUTTER_GIT_URL" to https://gitee.com/mirrors/Flutter.git to dismiss this error.
    • Framework revision 35c388afb5 (4 weeks ago), 2025-02-10 12:48:41 -0800
    • Engine revision f73bfc4522
    • Dart version 3.7.0
    • DevTools version 2.42.2
    • Pub download mirror https://pub.dev
    • Flutter download mirror https://storage.flutter-io.cn
    • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades.

[✓] Android toolchain - develop for Android devices (Android SDK version 35.0.0) [2.5s]
    • Android SDK at /Users/xxx/Library/Android/sdk
    • Platform android-35, build-tools 35.0.0
    • Java binary at: /Users/xxx/Library/Java/JavaVirtualMachines/jbr-17.0.8/Contents/Home/bin/java
      This JDK is specified in your Flutter configuration.
      To change the current JDK, run: `flutter config --jdk-dir="path/to/jdk"`.
    • Java version OpenJDK Runtime Environment JBR-17.0.8+7-1000.22-nomod (build 17.0.8+7-b1000.22)
    • All Android licenses accepted.

[!] Xcode - develop for iOS and macOS (Xcode 16.2) [2.4s]
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 16C5032a
    ! CocoaPods 1.15.2 out of date (1.16.2 is recommended).
        CocoaPods is a package manager for iOS or macOS platform code.
        Without CocoaPods, plugins will not work on iOS or macOS.
        For more info, see https://flutter.dev/to/platform-plugins
      To update CocoaPods, see https://guides.cocoapods.org/using/getting-started.html#updating-cocoapods

[✓] Android Studio (version 2023.3) [13ms]
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)

[✓] VS Code (version 1.98.0) [12ms]
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.107.20250303

[✓] Connected device (5 available) [8.0s]
    • sdk gphone64 arm64 (mobile)     • emulator-5554                        • android-arm64 • Android 13 (API 33) (emulator)
    • Eric的iPhone 13 Pro Max (mobile) • 00008110-001C55202222801E            • ios           • iOS 18.3.1 22D72
    • iPhone 16 Pro Max (mobile)      • 30DCB973-D365-43B3-B794-17B6F87F56B2 • ios           • com.apple.CoreSimulator.SimRuntime.iOS-18-2 (simulator)
    • iPad Pro 11-inch (M4) (mobile)  • 999A5313-166E-4024-A82D-0743B9F4AA90 • ios           • com.apple.CoreSimulator.SimRuntime.iOS-18-2 (simulator)
    • Mac Designed for iPad (desktop) • mac-designed-for-ipad                • darwin        • macOS 15.2 24C101 darwin-arm64

[✓] Network resources [654ms]
    • All expected network resources are available.

such as MobSF(https://mobsf.live/).

@git2321231 Did you upload the /Runner.xcarchive generated after running the said command ? I tried the same but it says invalid zip file.

Also, can you try to run your scenario on latest stable to check if it still persist ?

@github-actions github-actions bot removed the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Mar 14, 2025
@darshankawar
Copy link
Member

Thanks for the update.

Just use "flutter build ipa --obfuscate --split-debug-info=build/ios/ipa" command to make a IPA file.

Accessing MobSF online can be a bit slow.

I tried this and was able to see the reported behavior.

stable : 3.29.1
master : 3.30.0-1.0.pre.526

@darshankawar darshankawar added platform-ios iOS applications specifically a: build Building flutter applications with the tool has reproducible steps The issue has been confirmed reproducible and is ready to work on found in release: 3.29 Found to occur in 3.29 found in release: 3.30 Found to occur in 3.30 team-ios Owned by iOS platform team and removed in triage Presently being triaged by the triage team labels Mar 14, 2025
@git2321231
Copy link
Author
git2321231 commented Mar 18, 2025
edited
Loading

Additionally, I discovered that ".dart_tool/flutter_build/dart_plugin_registrant.dart" were also being included in the IPA package, which is quite unusual.
In the MobSF report, I came across a string like this:
file:///Users/xxx/Documents/flutter/my_project/.dart_tool/flutter_build/dart_plugin_registrant.dart
Here, "xxx" represents my macOS username, and my_project is the name of my project. This should never be present in the IPA package.

@mraleph
Copy link
Member
mraleph commented Mar 26, 2025

Strings are not obfuscated - only names and library URIs are when they are not entry points which engine needs to access by name (this is documented in https://docs.flutter.dev/deployment/obfuscate#limitations). I think that's the reason why plugin registrant entry point is retained - maybe worth having the issue about that one, but the rest is working as intended.

@git2321231
Copy link
Author

Strings are not obfuscated - only names and library URIs are when they are not entry points which engine needs to access by name (this is documented in https://docs.flutter.dev/deployment/obfuscate#limitations). I think that's the reason why plugin registrant entry point is retained - maybe worth having the issue about that one, but the rest is working as intended.

Thank you for your reply. I understand that the strings at the native layer are not obfuscated. However, what I don't understand is why the strings in Dart code are well obfuscated on Android but not on iOS. I suspect that this so-called “obfuscation” ultimately relies on the native platform’s obfuscation capabilities, and it just so happens that Android obfuscates strings while iOS does not — is that correct?
Additionally, please pay close attention to the plugin registrant issue. Including intermediate artifacts like dart_plugin_registrant in the final package is unacceptable, as it exposes potentially sensitive information.

@mraleph
Copy link
Member
mraleph commented Mar 27, 2025

However, what I don't understand is why the strings in Dart code are well obfuscated on Android but not on iOS

It probably means you are testing something incorrectly. There is no difference between Android and iOS when it comes to Dart obfuscation.

@git2321231
Copy link
Author

However, what I don't understand is why the strings in Dart code are well obfuscated on Android but not on iOS

It probably means you are testing something incorrectly. There is no difference between Android and iOS when it comes to Dart obfuscation.

No, please carefully review the reproduction steps mentioned above — you can even try them yourself. This is a very easy issue to reproduce, so please trust your colleagues on this. In the MobSF analysis reports for both the Android APK and iOS IPA, it’s easy to observe that Dart strings are not obfuscated on iOS, whereas they are properly obfuscated on Android.

For example, in the iOS report, you can easily search for the string from the demo project: “You have pushed the button this many times:”. But in the Android report, this string is not searchable, indicating that it has been obfuscated.

@mraleph
Copy link
Member
mraleph commented Mar 27, 2025
edited
Loading

But in the Android report, this string is not searchable, indicating that it has been obfuscated.

Then something is wrong with the tool, because as I have said - obfuscation works the same way on both Android and iOS. It is platform independent. I have implemented the thing - so I know quite well what it does and how it works.

I think what happens is that MobSF is just not very good tool... Strings just go into slightly different place in the compiled binary (because Android build uses compressed pointers builds and iOS build does not) but they are present in unobfuscated form in both cases.

Good old strings can easily find it:

$ flutter build apk --release --split-debug-info=debug-info --obfuscate --target-platform android-arm64
...
$ strings ./build/app/intermediates/stripped_native_libs/release/stripReleaseDebugSymbols/out/lib/arm64-v8a/libapp.so | grep button
button
You have pushed the button this many times:

@git2321231
Copy link
Author

But in the Android report, this string is not searchable, indicating that it has been obfuscated.

Then something is wrong with the tool, because as I have said - obfuscation works the same way on both Android and iOS. It is platform independent. I have implemented the thing - so I know quite well what it does and how it works.

I think what happens is that MobSF is just not very good tool... Strings just go into slightly different place in the compiled binary (because Android build uses compressed pointers builds and iOS build does not) but they are present in unobfuscated form in both cases.

Good old strings can easily find it:

$ flutter build apk --release --split-debug-info=debug-info --obfuscate --target-platform android-arm64
...
$ strings ./build/app/intermediates/stripped_native_libs/release/stripReleaseDebugSymbols/out/lib/arm64-v8a/libapp.so | grep button
button
You have pushed the button this many times:

Alright, I understand. In that case, please also pay attention to the dart_plugin_registrant issue. Thank you.

@mraleph mraleph changed the title [iOS] Dart obfuscation is not working on iOS obfuscation does not hide resolved source uris (e.g. leaks build time location of plugin registrar script) Mar 27, 2025
@mraleph mraleph changed the title obfuscation does not hide resolved source uris (e.g. leaks build time location of plugin registrar script) obfuscation leaks build time location of plugin registrar script Mar 27, 2025
@jmagman
Copy link
Member
jmagman commented Apr 9, 2025

Additionally, I discovered that ".dart_tool/flutter_build/dart_plugin_registrant.dart" were also being included in the IPA package, which is quite unusual.

Can you confirm where this path is inside the IPA?

@jmagman jmagman added the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Apr 9, 2025
@git2321231
Copy link
Author

Additionally, I discovered that ".dart_tool/flutter_build/dart_plugin_registrant.dart" were also being included in the IPA package, which is quite unusual.

Can you confirm where this path is inside the IPA?

Image

It is a string resource in the IPA package that can be easily captured by analyze tools. Crucially, it contains the developer's username and project path information. This packaging intermediate information should not be present in the IPA package.

@github-actions github-actions bot removed the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Apr 10, 2025
@vashworth vashworth added P2 Important issues not at the top of the work list triaged-ios Triaged by iOS platform team labels Apr 25, 2025
@vashworth
Copy link
Contributor

@git2321231 The screenshot does not show where the .dart_tool/flutter_build/dart_plugin_registrant.dart is actually located. Is it within the .ipa directory?

@vashworth vashworth removed the P2 Important issues not at the top of the work list label Apr 25, 2025
@vashworth vashworth added waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds and removed triaged-ios Triaged by iOS platform team labels Apr 25, 2025
@mraleph
Copy link
Member
mraleph commented Apr 28, 2025

@vashworth this file is generated by the build process in the original app source directory, e.g. if you add path_provider as a dependency for examples/hello_world and build it then it will generate examples/hello_world/.dart_tool/flutter_build/dart_plugin_registrant.dart.

The problem here is how it is wired to the rest of the engine: the engine first looks up package:flutter/src/dart_plugin_registrant.dart which contains a field dartPluginRegistrantLibrary defined as String.fromEnvironment('flutter.dart_plugin_registrant') which contains the library to lookup. The whole wiring was implemented in 912873b by @gaaclarke.

To really hide the URL the file probably needs to be placed in a synthetic package (similar to flutter_gen one) or maybe
front-end servers --source flag could be extended with support for setting import urls of the file which is being forcefully pulled into the build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a: build Building flutter applications with the tool found in release: 3.29 Found to occur in 3.29 found in release: 3.30 Found to occur in 3.30 has reproducible steps The issue has been confirmed reproducible and is ready to work on platform-ios iOS applications specifically team-ios Owned by iOS platform team waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mraleph @jmagman @git2321231 @vashworth @darshankawar
0