Flutter Security Essentials

It's almost asked to me thrice in recent interviews. Usually I explained about local authentication, prevent screenshots and flutter secure storage. But it has more than that.

Yes, Flutter is completely new. Securing native apps would be more comfortable to do. But actual things, you can do more that in flutter. We can see that step by step.

1. Flutter Secure Storage
Securing Data is very important. Using key value pair, you can achieve it. It's similar like shared_preference, but it can encrypt and decrypt data. 


2. Obfuscate code
For android, usually will do these stuff in ProGuard. 

In app.gradle:

android {

...

buildTypes {

release {

signingConfig signingConfigs.release

minifyEnabled true

useProguard true

proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'

}

}

}


in /android/app/proguard-rules.pro:

# Flutter

-keep class io.flutter.app.** { *; }

-keep class io.flutter.plugin.**  { *; }

-keep class io.flutter.util.**  { *; }

-keep class io.flutter.view.**  { *; }

-keep class io.flutter.**  { *; }

-keep class io.flutter.plugins.**  { *; }

In iOS, 


the compiler strips the symbols and applies optimizations to your code, making it already harder for the motivated attacker to read the compiled output of your code.

There are also paid tools that help you obfuscate your code: iXGuard and Vermatrix.


3. Background Snapshot Protection
In most app banking and fintech apps, they avoiding the background snapshot. Because in app pause, app will showing the some data. may be second person can be steal the data. In flutter we can achieve it through Secure application plugin.

4. Avoid screenshot
When user app holding most sensitive data, you need to put restrictions of taking screenshots. You can use Flutter Window plugin to do that. This is only for android. For ios.

If you're using objective-c:

- (void)applicationWillResignActive:(UIApplication *)application{

    self.window.hidden = YES;

}


- (void)applicationDidBecomeActive:(UIApplication *)application{

    self.window.hidden = NO;

}


If you're using swift:
    override func applicationWillResignActive(_ application: UIApplication) {

        self.window.isHidden = true;

    }

    override func applicationDidBecomeActive(_ application: UIApplication) {

        self.window.isHidden = false;

    }


5. Local Authentication

Local authentication refers to an on-device authentication for the user. This is beneficial if your application has subscriptions or payment features, as it provides an extra layer of authentication after the screen lock. You can use local_auth plugin to do that.

6. Secure Keys

API keys and SDK tokens come in multiple formats but often, it's in a form of a String. It will a lot be easier for any motivated attacker to use your API keys and abuse them if its not encrypted or obfuscated. To prevent that, you can use the flutter_dotenv plugin.

7. Avoid Root Devices

Android devices can be rooted, or iOS devices can be jailbroken, which removes the user’s limits set by the manufacturer. This can introduce malware affecting your application or its data. In such an event, you may want to detect this and take steps accordingly. To prevent this kind of security issues, you can move with flutter_jailbreak_detection plugin.


Even you can use the shield SDK for more secure experience, but it's paid one.

Comments

Popular posts from this blog

Mastering API Development: Why Postman Reigns Supreme Over Swagger

Email Address Validation

Flutter web view