Lockdown Your Flutter App: Keeping Hackers and Script Kiddies at Bay!

Debasmita Sarkar
7 min readFeb 16


“Is your mobile app Secure?”

If you are still thinking about it , I am 99% sure it is not.

Hey, are you busy slaying the Flutter app development game, crushing those deadlines?
Let me tell you, amigo, app security is crucial too!

Did you know that a whopping 75% of mobile apps in India are at security risk?

Protecting the sensitive user data is critical for safeguarding their privacy and preventing those pesky cyber attacks.
So let’s fortify your app’s defenses and secure your user’s trust!

In this article, we’ll explore essential measures to ensure the security of mobile apps. And Guess what? To save you the hassle of selecting the right package, I’ll provide a list of necessary packages along with their benefits.

1. Input validation:

I think validating input fields is the most basic thing in terms of mobile app security, yet often overlooked.
Without proper input validation, mobile apps are vulnerable to a range of security threats, such as injection attacks, where attackers can insert malicious code or data into an application. This can lead to unauthorized access, data theft, and even complete system compromise.

Packages to the rescue:
1. validatorsThis is a very crisp package, handles all the string validation and sanitization.
formzFormz provides a standardized form representation and validation solution in Dart, with the goal of simplifying the process in a generic manner.
flutter_form_builder — This package simplifies data collection form creation in Flutter by eliminating the need for boilerplate code. It handles form validation, field changes, and user input collections.

2. Secure Communication:

Secure communication with the server is critical for mobile app security, as it helps protect against a range of security threats, including interception, eavesdropping, and data tampering.

One notable example of a data breach resulting from unsecured communication occurred during the Equifax data breach in 2017, where hackers exploited a vulnerability in an unpatched version of Apache Struts to gain unauthorized access to sensitive data of 143 million people. The breach highlights the importance of using secure communication protocols such as HTTPS to prevent unauthorized access to sensitive data.

HTTPS is like a secret language between your mobile app and the server, so no one else can understand what they’re saying. It’s like a secret handshake between best friends, but with encryption! This means that sneaky attackers can’t spy on your conversation or mess with your messages.

It also provides a means of authenticating the server and verifying that the data being received is coming from a trusted source. Implementing HTTPS in a mobile app involves obtaining and installing a valid SSL certificate, configuring the app to use HTTPS for all communication with the server, and implementing certificate pinning to prevent man-in-the-middle attacks.

Packages to the rescue:

  1. dio - a powerful HTTP client for Dart that supports interceptors, global configuration, FormData, request cancellation, and more.
  2. http - a library for making HTTP requests in Dart that provides a simple and consistent API for handling HTTP requests and responses.
  3. http_auth - a package that provides support for basic and digest authentication for HTTP requests in Flutter apps.
  4. chopper - a package that provides a way to generate easy-to-use services in Dart.

3. Secure Authentication

Local authentication is like a bodyguard for your mobile app. It ensures only authorized users get access to your app’s sensitive data. By requiring local authentication, you keep the bad guys out and your app’s features and functions safe. It’s like a bouncer at the hottest club in town, making sure only the cool kids get to party. So, use local authentication to keep your app secure and your users happy.

By requiring users to enter a username and password, biometric data such as fingerprints or facial recognition, or other authentication measures, developers can help prevent brute force attacks and other attempts to guess or bypass authentication credentials.

In addition, local authentication can help to protect the app and its associated data even if the device is lost or stolen.

Packages to the rescue:

  1. local_auth — this package provides a simple way to authenticate users locally using biometric data such as fingerprints or facial recognition..
  2. firebase_auth — if your app uses Firebase, this package can help to implement secure authentication and user management.
  3. authpass — this package provides a simple and easy-to-use interface for authenticating users with a password or other authentication method.

4. Secure Data Storage

Sooooo, you know how you keep secrets locked up in your diary, away from prying eyes of mostly your parents? Well, secure data storage in mobile apps is kind of like that. So, by storing data securely, you can make sure that your app’s secrets stay secret, just like that juicy gossip in your diary.

Packages to the rescure:

  1. flutter_secure_storage: This package provides a way to store sensitive data in the device’s secure keystore/keychain. It uses AES-256 encryption to secure the data and supports Android, iOS, and web platforms.
  2. sqflite: This package provides a local database solution for Flutter apps. It allows developers to store data in a secure way, using SQLite, which supports encryption and other security features.
  3. hive: Hive is a lightweight and fast key-value store written in pure Dart. It supports encryption and allows developers to store data in a secure way. Hive also has a built-in caching mechanism that can be used to improve app performance.
  4. shared_preferences_secure: This package is a secure version of the popular shared_preferences package. It uses AES-256 encryption to store data securely on the device.
  5. biometric_storage: This package provides a secure way to store small data in a hardware encrypted fashion.

5. Hiding sensitive data and screenshot prevention

Hiding sensitive information while a fintech app is running in the background or When a user switches away from the app is crucial for maintaining the security of the user’s data.

For example, if a user has entered their payment information into a fintech app and then switches to another app without closing the app, the payment information could still be visible on the screen. If an attacker gains access to the user’s device, they could potentially access this information and use it for fraudulent purposes.
Developers can use techniques such as blurring or covering sensitive information on the screen while the app is in the background.
In addition, preventing screenshots is another way to prevent sensitive information from being captured by third-party apps or other unwanted sources.

Package to the rescure:

  • secure_application: This plugin allows you to protect your application content from view on demand.
  • screen_protector: This package allows to prevent taking screenshot and background screenshot.

6. Rooting or Jailbreaking detection

Rooting and jailbreaking are techniques used to bypass the device’s security measures, allowing users to gain administrative access and modify the device’s operating system.

In 2014, a hacking incident involving the iCloud service led to the theft and publication of private photos of several celebrities. The attacker was able to access the photos by exploiting a vulnerability in Apple’s “Find My iPhone” service, which was only possible by jailbreaking the targeted devices.

So, just like how you don’t want strangers breaking into your house and snooping around your private stuff, you don’t want uninvited guests sneaking into your app and tampering with your sensitive information.

By implementing rooting and jailbreaking protection, developers can prevent such attacks by detecting and blocking access to the app on rooted or jailbroken devices. This can be done through various techniques such as code obfuscation, integrity checks, and device fingerprinting.

Packages to rescue:

  1. flutter_jailbreak_detection: This package provides a simple way to detect if the device is jailbroken or rooted.
  2. freerasp: The freerasp package provides root and jailbreak detection and offers real-time monitoring of the device for tampering or modification, with customizable thresholds for determining when a device is considered compromised. The package uses a combination of static and dynamic analysis techniques to provide comprehensive protection against root and jailbreak attacks.
  3. safe_device : This package detects if user’s device is rooted or jailbroken by examining system properties, file presence and using security-focused APIs.

7. Obfuscation

Obfuscation of mobile apps is the process of modifying an app’s code to make it difficult for attackers to reverse engineer and understand the logic of the application. This is typically done by renaming classes, methods, and variables to meaningless names, removing debugging information, and applying other transformations to the code.

Use the flutter build command in release mode with the --obfuscate and --split-debug-info options. The --split-debug-info option specifies the directory where Flutter outputs debug files. In the case of obfuscation, it outputs a symbol map.

$ flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

So go ahead and make your app secure!!

Hello everyone!! I am Debasmita. I fell in love with Flutter a long time ago and I am head over heels now. I am a Senior Mobile Developer at Peggy , Co-organizer of Flutter Hiring Network and a public speaker. Check out recent updates from me in twitter, linkedIn, youtube, github.
If you like this article please give a 👏 or 50 !! Also share your thoughts on comment section. Cheers!! :)



Debasmita Sarkar

Senior Mobile Developer @Peggy, Flutter Enthusiast, Tech Savvy, Speaker, Artist