5 steps to secure your next Flutter app

Securing an app is crucial before releasing it into production

With over 2 million developers worldwide, the Flutter has emerged as one of the most popular frameworks for cross-platform mobile development. In the latter half of 2021, Flutter also announced stable releases for Flutter Web and Desktop, which has added to its popularity.

As developers, we focus on code and often miss out on one of the essential aspects of an app: Security. Ensuring that your app is secure is as important as adding that new mind-blowing feature. When released into production, insecure apps can be vulnerable to attacks, leading to user data leaks or misuse of resources, which can be costly.

This article will discuss five steps to protect your application, which will make your application stand firm when targetted by attackers. And if you love watching videos, make sure to check out the video below for a more detailed analysis of these steps.

Code Obfuscation

Code obfuscation is the process of modifying an app’s binary to make it harder for humans to understand. Reverse engineering your app can expose API keys, classes, function names, and all of your strings. This information can be crucial to your business logic and might give the attacker access to sensitive user data. Obfuscation hides these in your compiled Dart code, making it difficult for an attacker to reverse engineer your proprietary app.

If you are interested in learning more about how to reverse engineer a Flutter app, check out the link below —

Reverse engineering Flutter apps (Part 1)

Thankfully Flutter makes it very easy to obfuscate applications. To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag.

flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

This generates the symbols file, which can be then used to de-obfuscate a stack trace using flutter symbolize as below —

flutter symbolize -i <stack trace file> -d /out/android/app.android-arm64.symbols

Obfuscation is currently supported for release builds on Android, iOS, and MacOS. Flutter web apps are automatically minified which is similar.

Background snapshots protection

When your app is in the background, a snapshot of the last state of your app is automatically shown in the task-switcher. Though useful which switching between apps, it’s undesirable to show sensitive user data such as bank account details. Seen this feature in action before? Perhaps the picture below will ring a bell —

Google Pay hides sensitive information (while making a bank transfer) as opposed to Gmail which shows the last snapshot of the app.

We can implement this using the following plugin.

secure_application | Flutter Package

Usually, reopening the application requires the user to authenticate again locally (using biometric scanning, for example), which brings us to our third point.

Local Authentication

Local authentication refers to an on-device authentication for the user. This is beneficial if your application has subscriptions or payment features, as it provides an extra layer of authentication after the screen lock.

For this, we will use biometric authentication on iOS (Touch ID or lock code) and the fingerprint APIs on Android (introduced in Android 6.0). The following plugin implements local authentication for flutter apps.

local_auth | Flutter Package

Secure Storage

Shared preferences are one of the most common ways to store simple key-value pairs for a Flutter application. However, it comes with a few risks —

1. If you look at the Readme of the shared_preferences plugin in pub.dev, you will find no guarantee that the writes for this will be persisted to disk.
2. Shared preferences or SQLite can still pose another issue for critical user data. Since data is not encrypted, it can be opened on any other device, causing data leaks. We can use the following plugin to ensure encryption, which uses Keychain for iOS and AESEncryption for Android.

flutter_secure_storage | Flutter Package

Rooting or Jailbreaking protection

Android devices can be rooted, or iOS devices can be jailbroken, which removes the user’s limits set by the manufacturer. This can introduce malware affecting your application or its data. In such an event, you may want to detect this and take steps accordingly.

flutter_jailbreak_detection | Flutter Package

Flutter jailbreak detection uses RootBeer on Android and DTTJailbreakDetection on iOS to detect if your app is currently running on a rooted or jailbroken device.

So, these were five steps to make your Flutter app more secure and robust. Other than these, make sure you are protecting the data transferred between your app and your server. You should use SSL or TLS encryption, employ restrictions on network traffic, and confirm that the authentication for your application is infallible.

Conclusion

For a constantly evolving frameworks like Flutter, talking about security is a very broad subject and can never be summarised in a single blog. Again, no matter how precise and perfect you think your app’s security is, there is no guarantee that your app cannot be misused or tampered with. However, as developers it’s our responsibility to ensure that our application is as secure as possible before releasing it into production.

If you have ever used any of these in your Flutter apps before, or have yet more suggestions let me know in the comments!

Find the code for the implementation in the Github repository here —

GitHub - Imperial-lord/securing-flutter-apps

Also, you can connect with me on LinkedIn here —

AB Satyaprakash

And as always, Happy Hacking!!! 😃