Mobile Security via Flutter — Ep.3 Secure API (Part 2/2 — End Game)
After we explore the concept of secure API and what we need to prepare before implementing it, this last chapter of the mobile security series will show you how to implement via coding in Flutter. We will go through the five steps of Digital Signature:
- Key Exchange
- Encrypt Body
- Create Hashing Signature
- Decrypt Body
- Check Code Integrity From Signature
I will show you only the first four because they are implemented via client-side, while the last one is from backend.
Key Exchange
You can use any lib from this link.
Here’s the sample of the handshake function.
After you run this, you will get string back. Don’t save this string anywhere on the device. It’s just a temporary key that we’ll use until the session is expired. From now on, everything that sends to the server, we will use this string or key to encrypt the message.
Encrypt Body, Create Hashing Signature, and Decrypt Body
Basically, we encrypt the message with the key that we get from the handshake. Use that key and save IV in local memory, then send the body with the signature that has nounce and timestamp to prevent a replay attack together with hashed content for integrity checking. Once you have all the information, send that to the server and the server will return encrypted messages back to the client. We have to decrypt them before we can use them. Below is the sample code to encrypt and decrypt messages. Here’s the pseudo-code for encrypting and decrypting.
Now you can use postAPI to send the message to the server and map back to the client. You can use map to process like normal JSON.
How is it so far? It’s not that hard, right? If you follow all the instructions up to this point, rest assured that your app is equipped with sufficient level of security for regular apps. That said, if you really want your app to have the best security, you can use this guideline and consult with your security team to tighten up your security even further. This guideline is from a mobile app developer, not the security expert, so it might have a flawed logic still which I’m sure your security team can help you to make it perfect.
Thank you for tagging along this series until the end of this chapter. I hope that my mobile experience that I’ve shared would help strengthen the security of your app and protect your precious customers. 😙
Read previous episodes of Mobile Security via Flutter series:
- Ep.1 SSL Pinning
- Ep.2 Strong Device/ Strong Pin
- Ep.3 Secure API Pt.1
Want to read more stories like this? Or catch up with the latest trends in the technology world? Be sure to check out our website for more at www.kbtg.tech
