False positive: onSecureHardwareNotAvailable triggered on secured physical devices [Android] #189
Description
Describe the bug
The Threat.secureHardwareNotAvailable callback is being triggered as a false positive on normal, secured physical Android devices that have proper hardware-backed security (TEE/StrongBox). iOS security checks work correctly on the same user base without triggering equivalent false warnings.
To Reproduce
- Configure freeRASP with TalsecConfig in a Flutter app
- Build a release APK (isProd: true)
- Install on a secured physical Android device (non-rooted, passcode enabled, hardware security available)
- Launch the app and listen to Talsec.instance.onThreatDetected
- Observe Threat.secureHardwareNotAvailable being triggered incorrectly
Expected behavior
onSecureHardwareNotAvailable should NOT trigger on physical Android devices that have hardware-backed security available (TEE, StrongBox, Keymaster).
Screenshots
Attached below — showing issue reproduced in freeRASP example app
Please complete the following information:
Tested on multiple physical devices:
- Samsung F16 - Android 16
- iQOO Z9s Pro 5G - Android 15
- OnePlus 7 Pro - Android 13
Environment:
- freeRASP: 7.3.0
- Flutter: 3.38.5 (stable)
- Dart SDK: 3.10.4
- Android compileSdk: 36
- Android minSdk: 24
- Java/Kotlin: 17
Additional context
- Impact: Had to immediately halt the production release on Google Play Store due to this unexpected behavior affecting real users
- Reproduced in example app: Tested the official freeRASP example app — same behavior observed (screenshots attached)
- Regression: This was working fine previously on both Android and iOS with
-- Flutter 3.29.2
-- Dart 3.7.2
-- freeRASP 7.0.0 - iOS platform works correctly — all security checks pass without false positives
- Only secureHardwareNotAvailable appears to be incorrectly triggered on Android
- App is running in release mode with isProd: true
- All tested devices are standard consumer Android devices with no modifications (non-rooted, passcode enabled)