feat: enable Security Alerts API

[vinistevam]

Description

This PR aims to enable the Security Alerts API. The environment variable SECURITY_ALERTS_API_ENABLED will be maintained and removed in a separate PR in a future release.
There is a fallback mechanism that uses the local PPOM to validate the request in the case of an issue with the API. This safeguard is designed to prevent any disruption or impact on the user experience.

Related issues

Fixes: https://github.com/MetaMask/mobile-planning/issues/1878

Manual testing steps

1. Go to this test dapp
2. trigger malicious transfer | malicious permit

Screenshots/Recordings

securty.alerts.api.webm

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 74270bd
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/fcf153ed-59a8-4018-bf18-681716023e00

Note

• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[sleepytanya]

@vinistevam Just posting an update so you know what's happening!

1. iOS builds for some reason fail on current branch so I haven't been able to verify iOS yet
   https://app.bitrise.io/build/7c0e66dc-ea96-4e1a-a271-ed184067e581
   https://app.bitrise.io/app/be69d4368ee7e86d/installable-artifacts/90117534d8213616

2. Android:

   I'm seeing 'unable to find conversion rate' and it seems like on prod this error doesn't occur (I will re-check this):

PPOM:

• Everything works on Ethereum

1.mp4

2.mp4

3.mov

• BNB - Malicious Transfer (USDC) not flagged
• Arbitrum - Sign Permit, Malicious Set Approval for All not flagged
• zkSync - Sign Permit, Malicious Permit and Malicious Seaport not flagged (some of them could be ignored as they are not supported on zkSync yet?)

[sleepytanya]

iOS build https://app.bitrise.io/app/be69d4368ee7e86d/installable-artifacts/612c067798c34679

Same PPOM functionality as on Android:

BNB - Malicious Transfer (USDC) not flagged
Arbitrum - Sign Permit, Malicious Set Approval for All not flagged
zkSync - Sign Permit, Malicious Permit and Malicious Seaport not flagged (some of them could be ignored as they are not supported on zkSync yet?)

[github-actions]

Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 28c22cb
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/61ab869d-9073-4448-85b7-819062e826da

Note

• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
80.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[vinistevam]

Tests on main:
BNB: Malicious Transfer (USDC) not flagged

ppom_main_bnb.webm

zkSync: Malicious Permit and Malicious Seaport not flagged (Same as on my branch)

ppom_zksync.webm

Tests on feat/enable-security-alerts-api branch:
Arbitrum - Malicious Set Approval for All - flagged

ppom_arbitrum_branch.webm

Sign Permit is not working on main as well
cc. @sleepytanya