broxus · knightsforce · Feb 12, 2025 · Feb 14, 2025 · Feb 14, 2025 · Feb 14, 2025
diff --git a/.github/configs/flutter_version b/.github/configs/flutter_version
@@ -1 +1 @@
-3.29.2
+3.29.3
diff --git a/.github/workflows/app-deploy.yaml b/.github/workflows/app-deploy.yaml
@@ -22,13 +22,13 @@ on:
         required: true
         default: release
         type: choice
-        options: [release, debug]
+        options: [ release, debug ]
       flavor:
         description: 'Target flavor:'
         required: true
         default: staging
         type: choice
-        options: [development, staging, production]
+        options: [ development, staging, production ]
 
 jobs:
   setup:
@@ -77,6 +77,21 @@ jobs:
             exit 1
           fi
 
+      - name: Fetch anti-phishing lists
+        run: |
+          curl -s https://raw.githubusercontent.com/broxus/ever-wallet-anti-phishing/master/blacklist.json  -o /tmp/blacklist1.json
+          curl -s https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/refs/heads/main/src/config.json     -o /tmp/config.json
+          mkdir -p assets/config
+          jq -s '(.[0] + .[1].blacklist) | unique | { blacklist: . }' \
+          /tmp/blacklist1.json /tmp/config.json \
+          > assets/config/anti_phishing.json
+
+      - name: Upload anti-phishing file
+        uses: actions/upload-artifact@v4
+        with:
+          name: anti-phishing-json
+          path: assets/config/anti_phishing.json
+
       - name: Read Flutter version
         id: read_flutter
         run: echo "flutter_version=$(cat .github/configs/flutter_version)" >> $GITHUB_OUTPUT
@@ -155,6 +170,16 @@ jobs:
           echo "ios_target is set to = ${{ env.ios_target }}"
           echo "build_mode is set to = ${{ inputs.build_mode }}"
 
+      - name: Remove default anti_phishing.json
+        run: |
+          rm -f assets/config/anti_phishing.json
+
+      - name: Download anti-phishing file
+        uses: actions/download-artifact@v4
+        with:
+          name: anti-phishing-json
+          path: assets/config
+
       - name: Setup Flutter
         uses: subosito/flutter-action@v2
         with:
@@ -257,6 +282,27 @@ jobs:
           cache: true
           cache-key: flutter-:os:-:channel:-:version:-:arch:-:hash:-${{ hashFiles('**/pubspec.lock') }}
 
+      - name: Remove default anti_phishing.json
+        run: |
+          rm -f assets/config/anti_phishing.json
+
+      - name: Download anti-phishing file
+        uses: actions/download-artifact@v4
+        with:
+          name: anti-phishing-json
+          path: assets/config
+
+      - name: Refresh Flutter assets manifest
+        run: |
+          touch assets/config/anti_phishing.json
+          dart pub get
+
+      - name: Debug anti_phishing.json
+        run: |
+          echo "→ Content assets/config:"
+          ls -l assets/config
+          cat assets/config/anti_phishing.json
+
       - name: Display Flutter version
         run: flutter --version
 

diff --git a/assets/configs/anti_phishing.json b/assets/configs/anti_phishing.json
@@ -0,0 +1,16 @@
+{
+  "blacklist": [
+    "everscan.com",
+    "octsubridge.io",
+    "octus-bridge.com",
+    "protocoloctusbridge.com",
+    "octlusbridge.com",
+    "bridge-octus.org",
+    "internal-meeting.online",
+    "pancake-ever.com",
+    "gravixguard.github.io",
+    "gravixguard.web.app",
+    "broxus.net",
+    "chainconnect.app"
+  ]
+}
diff --git a/assets/html/anti_phishing.html b/assets/html/anti_phishing.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <title>SparX Wallet Phishing Detection</title>
+    <style>
+        body {
+          margin: 0;
+          padding: 20px;
+          background-color: #f0f0f0;
+          font-family: Arial, sans-serif;
+          color: #333;
+        }
+        .container {
+          max-width: 800px;
+          margin: 0 auto;
+          background-color: #fff;
+          border-radius: 4px;
+          box-shadow: 0 2px 6px rgba(0,0,0,0.1);
+          padding: 24px;
+        }
+        h1 {
+          margin-top: 0;
+          font-size: 1.8rem;
+        }
+        p {
+          line-height: 1.6;
+          margin-bottom: 1em;
+        }
+        a {
+          color: #0066cc;
+          text-decoration: none;
+        }
+        a:hover {
+          text-decoration: underline;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+    <h1>SparX Wallet Phishing Detection</h1>
+    <p>
+        This domain is currently on the SparX Wallet domain warning list. This means
+        that based on information available to us, SparX Wallet believes this domain
+        could currently compromise your security and, as an added safety feature,
+        SparX Wallet has restricted access to the site. To override this, please read
+        the rest of this warning for instructions on how to continue at your own risk.
+    </p>
+    <p>
+        There are many reasons sites can appear on our warning list, and our warning
+        list compiles from other widely used industry lists. Such reasons can include
+        known fraud or security risks, such as domains that test positive on the
+        SparX Wallet Phishing Detection. Domains on these warning lists may include
+        outright malicious websites and legitimate websites that have been compromised
+        by a malicious actor.
+    </p>
+    <p>
+        To read more about this site please
+        <a href="https://cryptoscamdb.org/search">
+            search for the domain on CryptoScamDB
+        </a>.
+    </p>
+    <p>
+        Note that this warning list is compiled on a voluntary basis. This list may be
+        inaccurate or incomplete. Just because a domain does not appear on this list is
+        not an implicit guarantee of that domain's safety. As always, your transactions
+        are your own responsibility. If you wish to interact with any domain on our
+        warning list, you can do so by
+        <a href="{PHISHING_ORIGINAL_SITE}">
+            continuing at your own risk
+        </a>.
+    </p>
+</div>
+</body>
+</html>
diff --git a/lib/di/di.config.dart b/lib/di/di.config.dart
diff --git a/lib/feature/browser_v2/custom_web_controller.dart b/lib/feature/browser_v2/custom_web_controller.dart
@@ -53,6 +53,26 @@ class CustomWebViewController {
     );
   }
 
+  Future<void> loadData({
+    required String data,
+    String mimeType = 'text/html',
+    String encoding = 'utf8',
+    WebUri? baseUrl,
+    WebUri? historyUrl,
+    WebUri? allowingReadAccessTo,
+  }) {
+    return _safeCall(
+      () => _nativeController.loadData(
+        data: data,
+        mimeType: mimeType,
+        encoding: encoding,
+        baseUrl: baseUrl,
+        historyUrl: historyUrl,
+        allowingReadAccessTo: allowingReadAccessTo,
+      ),
+    );
+  }
+
   void loggedOut() {
     _safeCall(_nativeController.loggedOut);
   }

diff --git a/lib/feature/browser_v2/domain/service/browser_service.dart b/lib/feature/browser_v2/domain/service/browser_service.dart
@@ -1,6 +1,7 @@
 import 'dart:async';
 
 import 'package:app/app/service/app_links/app_links.dart';
+import 'package:app/app/service/resources_service.dart';
 import 'package:app/app/service/storage_service/general_storage_service.dart';
 import 'package:app/feature/browser_v2/data/history_type.dart';
 import 'package:app/feature/browser_v2/domain/service/storages/browser_bookmarks_storage_service.dart';
@@ -9,6 +10,7 @@ import 'package:app/feature/browser_v2/domain/service/storages/browser_history_s
 import 'package:app/feature/browser_v2/domain/service/storages/browser_permissions_storage_service.dart';
 import 'package:app/feature/browser_v2/domain/service/storages/browser_tabs_storage_service.dart';
 import 'package:app/feature/browser_v2/managers/bookmarks_manager.dart';
+import 'package:app/feature/browser_v2/managers/broser_anti_phishing_manager.dart';
 import 'package:app/feature/browser_v2/managers/browser_auth_manager.dart';
 import 'package:app/feature/browser_v2/managers/favicon_manager.dart';
 import 'package:app/feature/browser_v2/managers/history_manager.dart';
@@ -30,6 +32,7 @@ class BrowserService {
     this._browserPermissionsStorageService,
     this._messengerService,
     this._generalStorageService,
+    this._resourcesService,
   );
 
   final AppLinksService _appLinksService;
@@ -39,8 +42,8 @@ class BrowserService {
   final BrowserTabsStorageService _browserTabsStorageService;
   final BrowserPermissionsStorageService _browserPermissionsStorageService;
   final GeneralStorageService _generalStorageService;
-
   final MessengerService _messengerService;
+  final ResourcesService _resourcesService;
 
   late final bookmarks = BookmarksManager(
     _bookmarksStorageService,
@@ -58,6 +61,8 @@ class BrowserService {
 
   final auth = BrowserAuthManager();
 
+  late final antiPhishing = BrowserAntiPhishingManager(_resourcesService);
+
   StreamSubscription<BrowserAppLinksData>? _appLinksNavSubs;
 
   BookmarksManager get bM => bookmarks;
@@ -72,11 +77,12 @@ class BrowserService {
 
   BrowserAuthManager get aM => auth;
 
-  void init() {
+  Future<void> init() async {
     bookmarks.init();
     history.init();
     tabs.init();
     permissions.init();
+    await antiPhishing.init();
     WidgetsBinding.instance.addPostFrameCallback((_) {
       _appLinksNavSubs =
           _appLinksService.browserLinksStream.listen(_listenAppLinks);
@@ -94,6 +100,7 @@ class BrowserService {
   void dispose() {
     tabs.dispose();
     _appLinksNavSubs?.cancel();
+    antiPhishing.dispose();
   }
 
   void openUrl(Uri uri) {
@@ -127,6 +134,30 @@ class BrowserService {
     }
   }
 
+  Future<void> loadPhishingGuard(
+    String path,
+  ) async {
+    final html = await antiPhishing.getPhishingGuardHtml(path);
+    return tabs.loadDataOnActiveTab(html);
+  }
+
+  Future<bool> loadPhishingGuardIfNeed({
+    required String path,
+    required String host,
+  }) async {
+    final list = antiPhishing.blackList;
+
+    for (final link in list) {
+      if (path != link && host != link) {
+        continue;
+      }
+
+      unawaited(loadPhishingGuard(path));
+      return true;
+    }
+    return false;
+  }
+
   void _listenAppLinks(BrowserAppLinksData event) {
     openUrl(event.url);
   }

diff --git a/lib/feature/browser_v2/managers/broser_anti_phishing_manager.dart b/lib/feature/browser_v2/managers/broser_anti_phishing_manager.dart
@@ -0,0 +1,52 @@
+import 'dart:convert';
+
+import 'package:app/app/service/resources_service.dart';
+import 'package:app/utils/json/json.dart';
+import 'package:flutter/foundation.dart';
+import 'package:flutter/services.dart';
+import 'package:logging/logging.dart';
+import 'package:rxdart/rxdart.dart';
+
+class BrowserAntiPhishingManager {
+  BrowserAntiPhishingManager(this._resourcesService);
+
+  final _blackListSubj = BehaviorSubject<List<String>>.seeded([]);
+
+  List<String> get blackList => _blackListSubj.value;
+
+  final ResourcesService _resourcesService;
+
+  final _log = Logger('BrowserAntiPhishingManager');
+
+  Future<void> init() {
+    return loadLinksJson();
+  }
+
+  void dispose() {
+    _blackListSubj.close();
+  }
+
+  Future<void> loadLinksJson() async {
+    try {
+      final json = await _resourcesService.loadString(
+        'assets/configs/anti_phishing.json',
+      );
+
+      final map = await compute<String, Map<String, dynamic>>(_parse, json);
+
+      _blackListSubj.add(castJsonList(map['blacklist']));
+    } catch (e, s) {
+      _log.severe('Load blacklist JSON error', e, s);
+    }
+  }
+
+  Future<String> getPhishingGuardHtml(String path) async {
+    final html = await rootBundle.loadString('assets/html/anti_phishing.html');
+    html.replaceFirst('{PHISHING_ORIGINAL_SITE}', path);
+    return html;
+  }
+
+  static Map<String, dynamic> _parse(String json) {
+    return jsonDecode(json) as Map<String, dynamic>;
+  }
+}