Flutter Obfuscation

Obfuscation illustration by ithare.com

What is Obfuscation?

Obfuscation means making something hard to understand for humans. In code, it means to hide function, class names, implicit values, or the meta-data your application uses in order to prevent tampering and reverse engineering.

There are multiple tools and ways online that can reverse engineer your APK and attackers might be able to extract code out of it. (Natively compiled classes and resources, not the entire flutter code). In order to prevent that, we need to obfuscate our flutter code while building the release version of our app.

How to Obfuscate the Flutter app?

Just like we have Proguard in Java, in Flutter we have a flag --obfuscate which should be used along with --split-debug-infothat specifies the directory where Flutter can output debug files and symbol maps which can be later used in the de-obfuscation of the stack trace.

flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

“ — obfuscate” can only be used in combination with “ — split-debug-info”

What does the ‘split debug info’ flag do?

Crashes and ANRs on Android produce a stack trace, which is a snapshot of the sequence of nested functions called in your program up to the moment it crashed. The stack trace shows us the class name and the associated line number for us to trace the reason for the crash. Having this information means that the app includes all the information needed to produce such StackTrace — which can weigh a lot and could take up a lot of space/memory while building apk.

The flag --split-debug-info removes all the data that is needed to show a human-readable stack trace which also dramatically decreases the app size. This command also produces some symbol files which can be later used to read the non-readable stack traces.

Read Stack Traces of Obfuscated App

To debug a stack trace created by an obfuscated app, use the following steps to make it human-readable:

1. Find the matching symbols file. For example, a crash from an Android arm64 device would need app.android-arm64.symbols.
2. Provide both the stack trace (stored in a file) and the symbols file to the flutter symbolize command. For example:

flutter symbolize -i <stack trace file> -d /out/android/app.android-arm64.symbols```

Obfuscation Support in Flutter

The following list describes which platforms support the obfuscation process in a flutter:

Android/iOS/macOS — Supported.

Linux/Windows — Not yet supported.

Web — Obfuscation is not supported for web apps, but a web app can be minified, which is similar. When you build a release version of a Flutter web app, it is automatically minified.

That’s it for today, hope you learned something from this article.

I am open to freelance, full-time, or part-time roles, feel free to reach out at Linkedin, thank you!