How to check if you are under attack in flutter app with laravel backend?

SDKs
1

I use sentry in our flutter app and bugsnag in api backend in laravel. In laravel I am not getting any error.

I am getting some suspicious error in flutter app.

In Sentry I am getting this error

FormatException
FormatException: Unexpected character (at character 1)
<html><head><script type="text/javascript">location.replace("https://malwar...
^

This error shows it happens when _checkIfLoggedIn code is called.

I am adding the code that I have in there.

    void _checkIfLoggedIn() async {
    // check if token is set or not...
    SharedPreferences localStorage = await SharedPreferences.getInstance();
    var token = localStorage.getString('token');
    // get the version check
    var res = await CallApi().getData('check-new-version');
    var body = json.decode(res.body);
    
    if (body['isNewVersionAvailble']) {
      msg = body['msg'];
      isNewVersionAvailble = true;
    }
    if (body['isOffline']) {
      msg = body['msg'];
      isOffline = true;
    }
    if (token == null) {
      // user is not logged in....
      setState(() {
        isLoading = false;
      });
    }else{
      setState(() {
          isLoading = false;
          _isLoggedin = body['isLoggedIn'];
      });
    }
    
  }

In laravel method, there some checks, and a login checks using jwt auth. That’s all in laravel.

Here is the laravel code I have

      public function checkNewVersion(Request $reqest)
      {

          if ($this->isOffline) {
              return response()->json([
                  'msg' => 'We are updating the app. It may take a few hours!',
                  'isNewVersionAvailble' => false,
                  'isOffline' => $this->isOffline,
                  'isLoggedIn' => true,
              ]);
          }
          if ($reqest->v != $this->apiVersion) {

              return response()->json([
                  'msg' => 'You are using an older version of the app. Please update your app.',
                  'isNewVersionAvailble' => true,
                  'isOffline' => false,
                  'isLoggedIn' => true,
              ]);
          }

          // here check if logged in or not....
          try {
              if (!$user = JWTAuth::parseToken()->authenticate()) {
                  return response()->json([
                      'msg' => 'Your session has expired. Please login again.',
                      'isNewVersionAvailble' => false,
                      'isLoggedIn' => false,
                      'isOffline' => false,

                  ]);
              }
          } catch (\Throwable $th) {

              return response()->json([
                  'msg' => 'Your session has expired. Please login again.',
                  'isNewVersionAvailble' => false,
                  'i

Looking for some experts opinion…

Thank you so much

2

I assume this is the line you get the error from?

Do you see any events in your backend? I suggest changing it to Sentry Laravel so you can connect the backend and the front end.

It’s possible your Flutter app isn’t reaching your server at all, and something on the network (say an airport Internet hotspot) is trying to redirect the user by injecting an html body with a javascript redirect in the payload. In order to bring the user to the captive portal, or something malicious.

I suggest you write your client app to account for that you might not reach your backend. And use TLS with a certificate pinning.

2 Likes
3

So this mean that user’s device is somehow compromised? If it’s even not reaching to my server then how can I track the user’s information such as ip etc?
Flutter sentry seems have no way to get the ip or user details.

Thank you for your valuable time.

4

Doesn’t mean the user is compromised. Just that it might be connected on a WiFi network that can’t reach your server. This is just a theory, all we know is that the server returned a html body attempting to redirect the user somewhere.

The Flutter SDK is under heavy development to add a lot more features.