DEV Community

May Lau
May Lau

Posted on • Originally published at maylau.hashnode.dev

5 Steps to Secure Flutter App Instantly

1. Know What You Are Using

Flutter community is good. Many useful and good quality packages on pub.dev are ready on hand by many open source maintainers. The frontend application development is fast and easy now. Although many packages are in good quality and continuously maintained, it is no harm to take a second to review who publish it, the maintain status and if possible how is the source code. Since the code is written by third party, it is recommended to take a look at least lower the possibility of using vulnerability code. Especially, when you are developing application handles sensitive user data, a vulnerable can be a risk of data leakage.

2. Keep Every Things Up-to-date

Nothing is perfect. Both the official and third party framework and packages keep releasing new version for security fixes and patches for vulnerabilities. Trying to keep flutter version and packages to the latest version can make the application having better protection.

3. Restrict Network Traffic

Controlling network travel between the known server and your app can avoid unexpected connection perform risky move. For example, Android can take a look to the Network Security Configuration which is a xml config defined in the Android project about backlisting and whitelisting domain and traffic. IOS has similar config on info.plist for trusted domain and traffic, you may take a look at NSAppTransportSecurity.

4. Encrypt Sensitive Data Before Boxing

Sometimes we may force to store sensitive data on local, encryption before storing is a good practice to avoid data leakage. Some popular packages provide easy method on store data with encryption, for example, flutter_secure_storage, encrypted_shared_preferences and hive (database) provide encrypted data storage methods, but as mentioned previously this related to sensitive data, do take a little time to understand the crypto methods the packages are using on different platforms to define whether it fits what you expected.

5. Obfuscate when Release

Try to turn on the obfuscate option when building release version. This can make the reverse engineering on flutter app harder.

Currently only Android, IOS and MacOS is supported the obfuscate options.

flutter build <support apk, appbundle, ipa, ios and ios-framework> --obfuscate --split-debug-info=/<project-name>/<directory>
Enter fullscreen mode Exit fullscreen mode

On Android, it is recommend also enable the proguard which can obfuscate the Android native code and also minimise the size of Android app.

/android/app/build.gradle

android {  
  buildTypes {
    release {
      // Enables code shrinking, obfuscation, and optimization for only
      // your project's release build type.
      minifyEnabled true

      // Enables resource shrinking, which is performed by the
      // Android Gradle plugin.
      shrinkResources true

      // Includes the default ProGuard rules files that are packaged with
      // the Android Gradle plugin. To learn more, go to the section about
      // R8 configuration files.
      proguardFiles getDefaultProguardFile(
              'proguard-android-optimize.txt'),
              'proguard-rules.pro'
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

/android/app/proguard-rules.pro

# Flutter
-keep class io.flutter.app.** { *; }
-keep class io.flutter.plugin.**  { *; }
-keep class io.flutter.util.**  { *; }
-keep class io.flutter.view.**  { *; }
-keep class io.flutter.**  { *; }
-keep class io.flutter.plugins.**  { *; }

# Any other classes the packages mentioned 
Enter fullscreen mode Exit fullscreen mode

As far as I know, there are mobile security companies provide paid flutter app obfuscate solutions which can also be taken on consideration for highly secure application.

Reference

  1. Android Proguard
  2. Flutter Security
  3. Network Security Configuration
  4. NSAppTransportSecurity

Support me if you like the content🍖
ko-fi

Connect🍻
GitHub - MayLau-CbL

Twitter - @MayLauDev

Hashnode - @MayLau

Top comments (0)