10 Tips to Secure Your Flutter Mobile Apps:
1. Stay up-to-date
Getting your Flutter SDK, plugins, and packages up-to-date is the easiest and one the best ways to secure your apps.
2. Obfuscate code
The compiled binaries and code of your apps can be reversed engineered. Some of the things that can be exposed include the strings, method and class names, and API keys.
Dart comes with code obfuscation argument – obfuscate in addition to the build command, which can be used to obfuscate code.
3. Secure API keys
API keys come in multiple formats but often, it’s in a form of a String. It will a lot be easier for any motivated attacker to use your API keys and abuse them if its not encrypted or obfuscated.
4. Restrict network traffic
Most apps are connected to the internet, whether to a third-party service provider or to their own servers. Typically, the exchange of information happens on a Transport Secure Layer, a.k.a. TLS, to provide a secure connection between your mobile apps and your servers.
Trusted network
One way to restrict network traffic or connection to an unsecured endpoint is through explicitly whitelisting your domain.
Certificate Pinning
You can also implement certificate pinning for your apps to restrict the secure connection to particular certificates. This ensures that the connection between your apps and your servers is trusted and authentic.
5. Limit permissions
Permissions is way for your apps to access hardware or native APIs of your users’ devices. In choosing a plugin, you should always check whether the plugin has dubious permission request.
6. Secure user data
Personally identifiable information, a.k.a. PII, is the most critical data that you don’t want to store on your apps, because when expose, you’re company is in big trouble.
But there are instances where PII is needed, eg. for offline-first apps. When needed, you can use flutter_secure_storage for storing PII or other sensitive data such as auth token.
7. Integrate local authentication
8. Secure your developer identity
Files like keystore, keystore.properties, Google Service Account or any secrets that can expose your developer identity should be encrypted at all times when tracking them in a repository.
Create a directory and use GPG to encrypt it.
9. Secure your CI infrastructure
Depending on whether your CI infrastructure is self-hosted or using services like Github Actions, you should be aware of what’s going on in your VMs and workflows.
Latest updates
To ensure that your apps are running in a secured environment, you should always keep your VMs up-to-date or be on a lookout for any security vulnerabilities (eg. OS updates for Linux for Android or macOS VMs for iOS)
10. Enforce strict access control
This is not Flutter related, but it’s good to have for your team.
Access Board
If you don’t have it yet, create an Access board for your team and that contains the. tickets created for each request made to access service/s. This allows your team to have transparency and record on who’s requesting for access, when, who’s provisioning it and why, etc.
