How to make a secure Flutter app?
26.04.2023 | 4 min read
As the popularity of Flutter apps grows, customers ask many questions related to the security of their data. It is not uncommon for clients to inquire about the security measures in place during presales conversations. In this article, I will try to show the approach to the best practices for securing Flutter applications and minimizing the risk of security exploits. Based on top 10 OWASP mobile security risks, we will also explore the way to address any vulnerabilities that may arise.
OWASP Mobile Application security
The OWASP Mobile Application Security project aims to establish a security standard for mobile apps and provide a comprehensive testing guide for mobile app security testing and reverse engineering. Developers can use OWASP resources and guidelines to build secure applications using Flutter. The focus of the project is to identify and address the security vulnerabilities that are specific to mobile applications, and to provide guidance on best practices for securing mobile apps. I'll take a closer look at several of them.
» We are 10Clouds: How can cross-platform development with Flutter save you money?
Improper platform usage
This risk involves the misuse of platform features or the failure to use platform security controls. This can include Android intents, platform permissions, and other vulnerabilities that could compromise the security of the application.
To mitigate this risk, developers should ensure that they are using platform features and security controls correctly and avoiding any misuse that could result in a security breach.
As an example of those, I can give an improper use of Android intents or platform permissions, on iOS: misuse of TouchID or the Keychain. To avoid this risk, what we do is:
- we follow best practices and guidelines for platform development (or even platforms, i.e. Android and iOS in addition to Flutter)
- we limit file access permissions
- we secure configuration and code, both on the application side and backend services
- we configure our in-app services in such a way, that user data is not transferred
- we encrypt and store data securely, using native/embedded mechanisms.
Our team keeps Flutter SDK always up to date, the same as all libraries used in projects. Also, we keep ourselves updated with the latest changes in guidelines for publishing apps for both Android and iOS, along with security guidelines published by the Flutter team.
Insecure data storage
This risk involves storing sensitive data on the device in an insecure manner, making it vulnerable to attackers who can easily exploit a stolen device. Examples of insecure data storage include storing data in plain text, using weak encryption, and storing data in publicly accessible locations on the device.
To overcome this risk, developers can use secure coding techniques - such as encryption - to protect sensitive data stored on the device. Additionally, they can use secure storage solutions like Android’s KeyStore and Apple’s Keychain to protect sensitive data. It is also important to avoid using poor encryption libraries, as this can leave the data vulnerable to attacks as well. Finally, developers should perform regular security audits and tests to identify any vulnerabilities and mitigate them before they can be exploited.
To avoid this risk, we need to:
- encrypt all vulnerable data effectively
- use code obfuscation
- try to avoid storing and caching data, and as alternate using server-side based solutions. There is a lot of data which mobile application can use and store or cache, like usernames, tokens, passwords, cookies, etc. But we also need to pay attention to other types of data which might be revealed, like applications logs, messages, and other development-related stuff.
Most mobile applications exchange the data in a client-server scheme. When this communication occurs, data traverses either the GSM or WiFi network and the internet. If communication lacks encryption, then an attacker will be able to not only steal the data, but also to execute Man-in-the-Middle (MitM) attacks. The best solutions to mitigate this threat are:
- applying SSL/TLS protocol to transport channels to encrypt data transmission
- using strong authentication methods
- implementing multi-factor authentication (MFA) to protect against unauthorized access
To protect against potential vulnerabilities, it is recommended to do regular security audits and tests. Additionally, developers should ensure that they use the latest security protocols and libraries, as older versions may have known vulnerabilities that can be exploited by attackers.
The most common approach to handle this risk, which we also use, is to apply mechanism called certificate and public key pinning. Basically, it’s a method that depends on server certificate verification on the client side. It requires the server certificate to be previously known to the mobile app. When a connection is made with the server, the app compares both pinned and remote server certificates. If they are identical - the connection is valid.
The fourth risk involves the use of weak or vulnerable authentication methods, that can be easily exploited by attackers to gain unauthorized access to the application, its data, or backend services. Using insecure authentication, like the use of low-complexity, short or dictionary passwords, storaging passwords in plain text, or use of insecure authentication protocols, are the most common examples. What to do to avoid the above? There are a few approaches:
- avoid local authentication methods, and push this responsibility to the server
- don’t store vulnerable data (like passwords) locally
- implement multi-factor authentication
As developers, we always remember also about our identity protection. The team has developed several methods to protect their data, therefore storing sensitive data like keys, keystores, configuration data is happening either locally for each developer, or via an encrypted form.
Client code quality
Last, but not least, is the risk involving the use of poor coding practices. Client code quality issues arise when third-party libraries used in project pass untrusted code as inputs for the app to be executed. Hackers can exploit those issues to execute malicious code. If application relies on a local/remote database, SQL injection is still possible, and SQLite database is likely not secure enough for sensitive data.
Consistent coding patterns, coding style guidelines widely accepted within the team and the organization, will help improve code quality.
We introduced and systematized a set of best practices in our team, and every new team member is familiarized with them during the onboarding process. When writing code, we pay attention to minimizing access to data and functions available to the user. Receiving bad input is always a case for unit testing. A simple mitigation method here is also a good code review process. We can enforce an impact of code review with static analysis tools, that can often detect poor coding practices.
Flutter security - recap
As you can see, there is a lot to think about when it comes to securing mobile applications. Every development team focused on delivery of secure mobile application should investigate those topic very thoroughly.
Security is a crucial aspect of mobile apps, particularly as they handle sensitive financial and personal data, like fintech and banking ones. Developers must ensure that their applications are secure from any potential threats.
Overall, security should be a top priority for companies, and especially developers who build mobile apps in Flutter. By implementing robust security measures and conducting regular security audits, they can help protect users’ sensitive data and build trust with their customers.