Flutter Security Essentials

-

It's almost asked to me thrice in recent interviews. Usually I explained about local authentication, prevent screenshots and flutter secure storage. But it has more than that.

Yes, Flutter is completely new. Securing native apps would be more comfortable to do. But actual things, you can do more that in flutter. We can see that step by step.

1. Flutter Secure Storage
Securing Data is very important. Using key value pair, you can achieve it. It's similar like shared_preference, but it can encrypt and decrypt data. 


2. Obfuscate code
For android, usually will do these stuff in ProGuard. 

In app.gradle:

android {

...

buildTypes {

release {

signingConfig signingConfigs.release

minifyEnabled true

useProguard true

proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'

}

}

}


in /android/app/proguard-rules.pro:

# Flutter

-keep class io.flutter.app.** { *; }

-keep class io.flutter.plugin.**  { *; }

-keep class io.flutter.util.**  { *; }

-keep class io.flutter.view.**  { *; }

-keep class io.flutter.**  { *; }

-keep class io.flutter.plugins.**  { *; }

In iOS, 


the compiler strips the symbols and applies optimizations to your code, making it already harder for the motivated attacker to read the compiled output of your code.

There are also paid tools that help you obfuscate your code: iXGuard and Vermatrix.


3. Background Snapshot Protection
In most app banking and fintech apps, they avoiding the background snapshot. Because in app pause, app will showing the some data. may be second person can be steal the data. In flutter we can achieve it through Secure application plugin.

4. Avoid screenshot
When user app holding most sensitive data, you need to put restrictions of taking screenshots. You can use Flutter Window plugin to do that. This is only for android. For ios.

If you're using objective-c:

- (void)applicationWillResignActive:(UIApplication *)application{

    self.window.hidden = YES;

}


- (void)applicationDidBecomeActive:(UIApplication *)application{

    self.window.hidden = NO;

}


If you're using swift:
    override func applicationWillResignActive(_ application: UIApplication) {

        self.window.isHidden = true;

    }

    override func applicationDidBecomeActive(_ application: UIApplication) {

        self.window.isHidden = false;

    }


5. Local Authentication

Local authentication refers to an on-device authentication for the user. This is beneficial if your application has subscriptions or payment features, as it provides an extra layer of authentication after the screen lock. You can use local_auth plugin to do that.

6. Secure Keys

API keys and SDK tokens come in multiple formats but often, it's in a form of a String. It will a lot be easier for any motivated attacker to use your API keys and abuse them if its not encrypted or obfuscated. To prevent that, you can use the flutter_dotenv plugin.

7. Avoid Root Devices

Android devices can be rooted, or iOS devices can be jailbroken, which removes the user’s limits set by the manufacturer. This can introduce malware affecting your application or its data. In such an event, you may want to detect this and take steps accordingly. To prevent this kind of security issues, you can move with flutter_jailbreak_detection plugin.


Even you can use the shield SDK for more secure experience, but it's paid one.

Comments

Post a Comment

Popular posts from this blog

Flutter Bloc - Clean Architecture

-
Hey friends, Have a good day. Few days back, I got an interview and assign this task. Anyhow I done my best.  I post my code in github, If anyone wants to try the bloc with clean architecture you can look it that my code. This is following task: I should be able to list all albums and see their title I should be able to filter albums by title I should be able to see the photos of one specific album I should see the thumbnail(thumbnailUrl) and title Here I use bloc for state management. After a long gap, I used and updated the latest version of bloc. Then for api consuming I used jsonplacedholder site. For http calls: Dio and Retrofit I used.  Here is link .  If you want something more features in this repo, please comment here. 
Read more

What's new in android 14?

-
The name for Android 14 has not been officially announced yet, but it is rumored to be called "Upside Down Cake". Android 14 is the upcoming version of the Android mobile operating system, which is developed by Google. It is expected to be released in the third quarter of 2023. Here are some of the new features and changes that are rumored to be included in Android 14: Improved privacy and security features: Android 14 is expected to include a number of new features to improve user privacy and security, such as the ability to grant apps temporary permissions, the ability to revoke app permissions individually, and the ability to disable unused apps. Enhanced performance and battery life: Android 14 is expected to include a number of optimizations to improve performance and battery life. For example, it is expected to include a new feature called "Project Mainline" that will allow Google to push out updates to core Android components directly to users, without havi
Read more

Dependencies vs Dev Dependencies in Flutter

-
 Hey friends, good noon. Rainfall on summer here, It's unusual. Let's see the difference between dependencies and dev dependencies in flutter. Dependencies: Included in your app during compilation.  Dev Dependencies: Can use on while developing the app on development stage. Like testing. Doesn't include any inside the apk. When your add the dev dependencies in pubspec.yaml, It won't show the auto complete on your android studio. you have type the whole package yourself. 
Read more