Debug School

rakesh kumar
rakesh kumar

Posted on

How to secure a Flutter app?

  1. Code Obfuscation
  2. Background snapshots protection
  3. Local Authentication
  4. Secure Storage
  5. SSL Pinning
  6. Rooting or Jailbreaking protection
  7. Employing strong encryption 8 .Handle sensitive data with care 9 .Some More Important Facts

Code Obfuscation

Referene1
Referene2
Referene3
Referene4
Referene5
Code obfuscation is the process of modifying an app’s binary to make it harder for humans to understand. Reverse engineering your app can expose API keys, classes, function names, and all of your strings. This information can be crucial to your business logic and might give the attacker access to sensitive user data. Obfuscation hides these in your compiled Dart code, making it difficult for an attacker to reverse engineer your proprietary app.

Image description

Image description

Thankfully Flutter makes it very easy to obfuscate applications. To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag.

For APK:

Without splitting:

flutter build apk --obfuscate --split-debug-info=/<directory>
Enter fullscreen mode Exit fullscreen mode

Splitting:

flutter build apk --target-platform android-arm,android-arm64,android-x64 --split-per-abi --obfuscate --split-debug-info=/<directory>
Enter fullscreen mode Exit fullscreen mode

Background snapshots protection
Referene1
Referene2
Referene3
Referene4

Image description
When your app is in the background, a snapshot of the last state of your app is automatically shown in the task-switcher. Though useful which switching between apps, it’s undesirable to show sensitive user data such as bank account details. Seen this feature in action before? Perhaps the picture below will ring a bell —
method 1
Image description

import 'package:flutter_windowmanager/flutter_windowmanager.dart';
Enter fullscreen mode Exit fullscreen mode
 await FlutterWindowManager.addFlags(FlutterWindowManager.FLAG_SECURE);
//enables secure mode for app, disables screenshot, screen recording
Enter fullscreen mode Exit fullscreen mode

Full Code

import 'package:flutter/material.dart';
import 'package:flutter_windowmanager/flutter_windowmanager.dart';
void main() {
  runApp(
    MaterialApp( 
      home: MyApp(),
    )
  );
}

class MyApp extends StatefulWidget{
  @override
  State<MyApp> createState() => _MyAppState();
}

class _MyAppState extends State<MyApp> {

  @override
  void initState() {
    Future.delayed(Duration.zero, () async { //to run async code in initState
       await FlutterWindowManager.addFlags(FlutterWindowManager.FLAG_SECURE);
       //enables secure mode for app, disables screenshot, screen recording
    });

    super.initState();
  }
  @override
  Widget build(BuildContext context) {
    return Scaffold(
          body: Container(
             //your app content here
          )
    );
  }
}
Enter fullscreen mode Exit fullscreen mode

Method2

Future<void> secureScreen() async {
await FlutterWindowManager.addFlags(FlutterWindowManager.FLAG_SECURE); 
}

@override
 void initState() {
 secureScreen();
 super.initState();
}
Enter fullscreen mode Exit fullscreen mode

Method3

dependencies:
  flutter:
    sdk: flutter
  flutter_windowmanager: ^0.2.0
Enter fullscreen mode Exit fullscreen mode
import 'package:flutter_windowmanager/flutter_windowmanager.dart';
Enter fullscreen mode Exit fullscreen mode

Image description

Image description

Image description

Method5

Image description

Image description

Image description

Image description

Local Authentication
Reference
Local authentication refers to an on-device authentication for the user. This is beneficial if your application has subscriptions or payment features, as it provides an extra layer of authentication after the screen lock.
For this, we will use biometric authentication on iOS (Touch ID or lock code) and the fingerprint APIs on Android (introduced in Android 6.0). The following plugin implements local authentication for flutter apps.

  1. Local Authentication
  2. Required Plugin
  3. Checking for biometric availability
  4. Checking biometric type
  5. Authentication using biometric
  6. Designing a simple App

Secure Storage

Handle sensitive data with care
Reference
The list of sensitive data is very broad — it encompasses anything that belongs to a user, for instance, passwords, tokens, identifiers, transaction histories.

Here is the list of data categories that OWASP treats as sensitive:

Usernames,
Authentication tokens,
Passwords,
Cookies,
Location data,
UDID/IMEI, Device Name,
Network Connection Name,
Personal Information (e.g., date of birth, address, Social, credit card data),
Application Data,
Enter fullscreen mode Exit fullscreen mode

Stored application logs (e.g., for an Android App ADB logcat tool),
Debug information,
Cached application messages,
Transaction histories.
Here you can find more insights on insecure data storage.

Since user data is highly sensitive, you cannot store it like common preferences. There are various ways to store data locally in Flutter. However, our safest bet would be to use secure native storage such as IOS Keychain Services and Android KeyStore System.

Even though these two systems work in slightly different ways, they both offer a solution for storing small bits of data in a container that makes it much harder to extract data. There is already a plugin for secure storage in Flutter that will save the development team lots of time while properly saving sensitive data.

Some More Important Facts

Image description

Image description

Image description

Image description

Top comments (0)