How to Handle Sensitive Data in Flutter

Rickey
Rickey
Aug 9 · 4 min read
How to Handle Sensitive Data in Flutter

What is Sensitive data?

Here are a list of some sensitive data example:

  • Amazon Web Services Key

How to define these sensitive parameters in your flutter application? If you define these parameters by hard coding, it's dangerous.

What is the risk of defining these sensitive parameters by hard coding?

Hardcoding sensitive information such as passwords, IP addresses, encryption keys, etc. can expose such information to attackers. Anyone who has access to the class file can decompile it and extract the sensitive information. Therefore, do not hardcode sensitive information into your programs.

For example:

class IPaddress {
String ipAddress = new String("172.16.254.1");
public static void main(String[] args) {
//..
}
}

The actual incidents/examples

the bellow image describes

Out of 16,000 apps, most of the apps didn’t have any sort of key or secret in it. Roughly 2500 apps were found to have either a key or a secret of a third party service hardcoded in the app.

Let’s try to find actual risk

You can find some API key by researching in github with ‘aws_accesskey’

What should we care about in Flutter Apps?

There are two main things to be concerned about in Flutter apps

  • Don’t upload sensitive information on git.

How to decompile APK files?

  1. Install “apktool”
    If you use macOS, you can install by using homebrew.

brew install apktool

2. Use command with ‘apktool d {target_APK}.apk’

apktool d test.apk

Solution

Use this library flutter_dotenv

Implement library

in pubspec.yaml

dependencies:
flutter:
sdk: flutter
flutter_dotenv: ^3.1.0 # add this line
flutter:
assets: # add this line
- assets/.env # add this line

then run flutter pub get

Create config file

Add a file .env under the project’s assets directory. The name of this file is the same as the one you wrote in pubspec.yaml.
This file should be marked as unversioned with .gitignore.
Don’t forget to do this!

*.env

then in .env file like bellow

SAMPLE_KEY=test...key123

How to call environment variable

First, you need to import library

import 'package:flutter_dotenv/flutter_dotenv.dart';

then in main.dart, you need to add code for load environment file,

void main() async {
await load('assets/.env'); // 追加
runApp(MyApp());
}

then you can use the environment variable like below.

String sample_key = env['SAMPLE_KEY'];

Validate APK

I did a Grep search for a decompiled version of the actual APK I created, but did not find the same String.

The other solution that I tried,

Use FirebaseRemoteConfig to define sensitive data.

The best countermeasure against decompilation is to not define these sensitive data in internally. define it externaly.

But in firebaseRemoteConfig Policy, like below

Don’t store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.

REF: Policies and limits

DSF Web Services Engineering

Development Center by PT. Dipo Star Finance