Recently, Talsec team has dedicated time and effort to explore different options for secure storage on the Flutter platform. While storing data is a straightforward task, ensuring its security requires careful consideration.
This article assumes you are familiar with:
- How data storage works on native platforms
- Android Keystore, Keychain and how they are used
Secure Storage Insights
Talsec team has recently been exploring ways to enhance data security on the Flutter platform. After conducting research, we are considering adding a secure storage feature to freeRASP and RASP+ solutions. As part of this process, we are analyzing the current state of secure storage options in Flutter and gathering insights from the community regarding their expectations for such a feature.
RASP (Runtime Application Self Protection)
Security technique that actively defends application by real-time controlling the security state of the device, integrity of the OS and App.
Current popular solutions
A quick recap of what is available as of today. If you are familiar with these packages, feel free to skip to the next section.
1️⃣ flutter_secure_storage (Flutter Package)
One common choice among Flutter developers for storage is the flutter_secure_storage plugin. This plugin offers key-value storage that leverages the native API of the target platform (SharedPrefferences, Keystore, Keychain,…) and provides a unified API for accessing them. While the data is encrypted, the current implementation of this solution is possibly vulnerable to a padding oracle attack (as mentioned in GitHub issues source #1, source #2). This vulnerability means an attacker could decipher a message because of incorrect message alignment. However, this attack vector is theoretical and rarely applicable (there are attacks requiring less effort).
2️⃣ hive (Dart Package)
Another popular option in the Flutter community is Hive, which provides a straightforward and user-friendly API for developers. Hive is known for its lightweight nature and fast performance, making it a reliable choice for storage in Flutter applications. Additionally, Hive offers built-in support for data encryption, specifically AES-256 encryption. When using encryption with Hive, it is important to note that you must provide an encryption key. Therefore, exercising caution regarding where you store the key and how you securely handle it is crucial.
3️⃣ sqflite (Flutter Package)
sqflite is a Flutter package that simplifies the creation and management of local application databases by utilizing the SQLite database engine. With sqflite, developers can easily handle tasks such as storing user preferences, caching data, and managing structured information in their Flutter applications. Additionally, sqflite provides integration with SQLCipher, which guarantees the security of sensitive information. An encrypted database is initialized with a password. It is crucial to handle this password securely and not hardcode it — hardcoded keys are visible in reverse-engineered app.
What is the issue?
We realised that while hardware-backed keystores are available on most devices, there are still many devices that lack this feature. Additionally, some devices encounter issues (especially on Android) with hardware-backed keystores due to manufacturer-provided software. These keystore implementations either fail to perform their intended function or resort to software-backed solutions anyway.
Another important consideration is that although hardware-backed keystores may offer greater resilience against key extraction, they still face the same vulnerability as software-backed keystores — they are not immune to runtime attacks. The data (which are encrypted using keys stored in the keystore) can still be accessed using rooted devices, repackaged/tampered apps or by using hooking frameworks at runtime.
So we came to conclusion that protecting data at rest on the device using SW-based security in combination with RASP can be good enough for many cases and even have considerable advantages.
What are the benefits?
By incorporating a software-backed keystore into RASP (Runtime Application Self-Protection) solution, we can simultaneously address two critical aspects:
- Reliability
Enhanced RASP solution will offer a dependable keystore mechanism that does not rely on secure hardware. This means that even on devices lacking hardware-backed security features, this solution will ensure the integrity and protection of cryptographic keys. - Security
As mentioned earlier, the keystore itself is still vulnerable to threats such as root access and runtime hooks. However, a keystore that closely integrates with RASP would have this problem mitigated, as it could determine whether or not to store/retrieve data based on the current security state of the device.
With the integration of a software-backed keystore, enhanced RASP solution provides a comprehensive and reliable approach to data protection, overcoming the limitations posed by both hardware availability and copromised devices.
What are the issues?
This solution is also not perfect as might look. We also have to consider problematic parts:
- RASP is not unbeatable
While RASP adds an extra layer of security, it’s not an universal solution which will solve problem once for all. It just adds complexity for attacker to deal with. Once RASP is defeated, this solution becomes “plain” SW-backed keystore. It’s also important to note that RASP can’t replace traditional security measures. - HW is more secure
As mentioned earlier, HW-backed keystore performs way better when it comes resiliency against data extraction. Also finding and misusing issue in HW is way harder than finding issue in software implementation of SW-backed keystore.
If you choose SW-backed keystore it’s important consider if you take traditional implementation relying on crypthography or you’ll take storage with additional security layer.
It’s also about you!
What do you think? Would you rely on SW-based secure storage SDK for Flutter with hardcoded obscured encryption key?
Share your thoughts and experiences in the comments below! 👇📝
