Fix #16: SSL pinning in all 4 Flutter apps

- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com
- Replaced http.post/http.get with pinned client in all CRUD classes
- Added crypto dependency to siro_admin and siro_driver pubspec

siro_driver/lib/controller/functions/crud.dart

@@ -16,9 +16,11 @@ import '../../constant/api_key.dart';
 import '../../views/widgets/error_snakbar.dart';
 import 'gemeni.dart';
 import 'upload_image.dart';
+import 'ssl_pinning.dart';
 
 class CRUD {
   final NetGuard _netGuard = NetGuard();
+  final _client = SslPinning.createPinnedClient();
 
   static bool _isRefreshingJWT = false;
   static String _lastErrorSignature = '';
@@ -251,7 +253,7 @@ class CRUD {
       }
 
       var url = Uri.parse(link);
-      var response = await http.post(
+      var response = await _client.post(
         url,
         body: payload,
         headers: {
@@ -327,7 +329,7 @@ class CRUD {
     final hmac = box.read(BoxName.hmac);
     var url = Uri.parse(link);
 
-    var response = await http.post(
+    var response = await _client.post(
       url,
       body: payload,
       headers: {
@@ -371,7 +373,7 @@ class CRUD {
     final url = Uri.parse(link);
 
     try {
-      final response = await http.post(
+      final response = await _client.post(
         url,
         body: payload,
         headers: {
@@ -437,7 +439,7 @@ class CRUD {
     required String uid,
   }) async {
     var uid = box.read(BoxName.phone) ?? box.read(BoxName.phoneDriver);
-    var res = await http.get(
+    var res = await _client.get(
       Uri.parse(
           'https://orca-app-b2i85.ondigitalocean.app/token?channelName=$channelName'),
       headers: {'Authorization': 'Bearer ${AK.agoraAppCertificate}'},
@@ -470,7 +472,7 @@ class CRUD {
       ],
       'temperature': 0.9,
     });
-    var response = await http.post(url, body: data, headers: headers);
+    var response = await _client.post(url, body: data, headers: headers);
     if (response.statusCode == 200) return response.body;
     return response.statusCode;
   }
@@ -536,7 +538,7 @@ class CRUD {
       ],
       'temperature': 0.9,
     });
-    var response = await http.post(url, body: data, headers: headers);
+    var response = await _client.post(url, body: data, headers: headers);
     if (response.statusCode == 200) return response.body;
     return response.statusCode;
   }
@@ -544,7 +546,7 @@ class CRUD {
   Future<dynamic> postPayMob(
       {required String link, Map<String, dynamic>? payload}) async {
     var url = Uri.parse(link);
-    var response = await http.post(url,
+    var response = await _client.post(url,
         body: payload, headers: {'Content-Type': 'application/json'});
     var jsonData = jsonDecode(response.body);
     if (response.statusCode == 200) {
@@ -585,7 +587,7 @@ class CRUD {
   Future<dynamic> postFromDialogue(
       {required String link, Map<String, dynamic>? payload}) async {
     var url = Uri.parse(link);
-    var response = await http.post(
+    var response = await _client.post(
       url,
       body: payload,
       headers: {
@@ -609,7 +611,7 @@ class CRUD {
     final authToken = AK.authTokenTwillo;
     final verifySid = AK.twilloRecoveryCode;
 
-    await http.post(
+    await _client.post(
       Uri.parse(
           'https://verify.twilio.com/v2/Services/$verifySid/Verifications'),
       headers: {
@@ -624,7 +626,7 @@ class CRUD {
   Future<dynamic> getGoogleApi(
       {required String link, Map<String, dynamic>? payload}) async {
     var url = Uri.parse(link);
-    var response = await http.post(url, body: payload);
+    var response = await _client.post(url, body: payload);
     var jsonData = jsonDecode(response.body);
     if (jsonData['status'] == 'OK') return jsonData;
     return jsonData['status'];
@@ -664,7 +666,7 @@ class CRUD {
   }) async {
     var url = Uri.parse(link);
     try {
-      var response = await http.get(
+      var response = await _client.get(
         url,
         headers: {
           'Content-Type': 'application/json',
@@ -690,7 +692,7 @@ class CRUD {
   }) async {
     var url = Uri.parse(link);
     try {
-      var response = await http.post(
+      var response = await _client.post(
         url,
         body: jsonEncode(payload),
         headers: {

siro_driver/lib/controller/functions/ssl_pinning.dart

@@ -0,0 +1,41 @@
+import 'dart:convert';
+import 'dart:io';
+import 'package:crypto/crypto.dart';
+import 'package:http/http.dart' as http;
+
+class SslPinning {
+  SslPinning._();
+
+  static final Map<String, List<String>> _pins = {
+    'intaleq.xyz': [
+      '/tNRUeeLxUhQU5gbgdpVWC6QBGAqc/ujg8Kcf0wQiAM=',
+      'Hlx/0EWNDH5Xkt2KzvqxUzbw0vvEsyZSlibialSyGqI=',
+    ],
+    'siromove.com': [
+      'C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHESsl=',
+      'diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=',
+    ],
+  };
+
+  static final List<String> _globalPins = [
+    'Ex/Od4QBaJmloAIDqe/IDxjrvXVYBxftwVU1gJMINuw=',
+    'lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=',
+    'aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=',
+  ];
+
+  static http.Client createPinnedClient() {
+    final httpClient = HttpClient()
+      ..badCertificateCallback =
+          (X509Certificate cert, String host, int port) {
+        final derHash = base64.encode(sha256.convert(cert.der).bytes);
+        for (final entry in _pins.entries) {
+          if (host.endsWith(entry.key)) {
+            if (entry.value.contains(derHash)) return true;
+          }
+        }
+        if (_globalPins.contains(derHash)) return true;
+        return false;
+      };
+    return http.IOClient(httpClient);
+  }
+}

siro_driver/pubspec.yaml

@@ -45,6 +45,7 @@ dependencies:
   # Services & Hardware
   battery_plus: ^7.0.0
   connectivity_plus: ^6.1.5
+  crypto: ^3.0.3
   device_info_plus: 11.2.2
   envied: ^1.0.0
   firebase_auth: ^6.3.0