Keeping your Flutter App Secure

Recent years have seen Flutter emerge as one of the most popular cross-platform frameworks for mobile development. Its growth has also been helped by stable releases for Flutter Web and Desktop, and this month it released version 3.0.0.

As developers, we tend to overlook Security when building mobile apps. As emerging technologies like Artificial Intelligence (AI), Virtual Reality (VR), and Augmented Reality (AR) are used to enhance the experience of an app, making it more secure is as important as making it more user-friendly. Hackers also learn from existing AI tools to develop more advanced attacks and attack traditional security systems or even AI-boosted systems. Thus, apps can be vulnerable to attacks, resulting in data leaks or resource misuse.

In this article, we will discuss major app security risks and how you can mitigate them in your Flutter application.

Malicious Code Injections

Getting access to the app database can lead to code injection, another major security threat, that occurs most often through plugins that are not reliable. By getting access to the app database, hackers can inject malicious code, resulting in data loss, data breaches, data tampering, app performance problems, or app crashes. Although such attacks occur occasionally, common app security safeguards are not enough to completely prevent them.

Keep your application's dependencies up to date to mitigate this risk. Make sure you upgrade your package dependencies to maintain their compatibility. The pin shouldn't be pinned to a specific version for your dependencies. If you do, check periodically to see if the dependencies have been updated for security purposes, and update the pin accordingly. Visit https://docs.flutter.dev/development/tools/sdk/upgrading to learn more.

Also, keep current with the latest Flutter SDK releases. Since Flutter is regularly updated, these updates may fix security defects discovered in previous versions.

Code Obfuscation

Code Obfuscation is the process of modifying an app so that it is no longer useful to a hacker but remains fully functional. The purpose of code obfuscation is to prevent unauthorized parties from accessing and understanding an application's logic, allowing them to extract data, tamper with code, exploit vulnerabilities, and more.

You can easily obfuscate your flutter applications. To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag. The --split-debug-info flag specifies the directory where Flutter can output debug files.

flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

This process is supported on Android, iOS, and macOS platforms. Obfuscation is not supported for web apps, but a web app can be minified, which is similar. When you build a release version of a Flutter web app, it is automatically minified.

Background snapshots protection

I'm sure you have seen something similar shown in the image below.

It's a task-switcher that displays a snapshot of the app's last state as if the app had been closed. While navigating between Apps is convenient, sensitive data maybe be displayed like bank account details.

Flutter has a plugin that secures app content visibility when users leave the app. It will hide content in the app switcher and display a frost barrier above locked content when the user gets back. secure_application | Flutter Package

Unauthorized access to your application

The largest security risk is granting access to your app without first authenticating the user's identity. Security and authentication plugins are available in Flutter. Developers may quickly add authentication to an app by incorporating a sign-in plugin. This is beneficial if you are developing apps with payment features. One of the Flutter plugins for Android and iOS devices that allow local authentication via fingerprint, touch ID, face ID, passcode, pin, or pattern. local_auth | Flutter Package

Rooting or Jailbreaking protection

For security reasons, the Android operating system does not allow the user to perform certain operations. In practice, it means the user does not have administrator privileges.

Rooting is the operation that allows the user to obtain system administrator privileges (become “root”). Jailbreaking is the process of exploiting the flaws of a locked-down electronic device to install software other than what the manufacturer has made available for that device. A jailbroken/rooted device cannot hold any software restrictions against the user. Therefore, parts of the device that might have been considered secure by developers are no longer secure.

Flutter jailbreak and root detection plugin will help in detecting this and take major steps accordingly after. flutter_jailbreak_detection | Flutter Package

Conclusion

Today there are over 500,000 apps built with Flutter. However, as developers, it’s our responsibility to ensure that our application is as secure as possible before releasing it into production.

Bear in mind "Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem." - Fred Langa