You should not need to compromise on security though, just because you are using a higher level framework rather than developing native apps.
Our Approov Flutter Quickstart allows you to get up and running with Approov easily, whether you are building a new app or adapting an existing one to have an improved security posture.
We provide an open source Flutter package that you include in your project which mediates access to the underlying Approov native modules. Once you have downloaded the Approov SDK and added it to our Flutter package, the changes you need to make to your app in order to send Approov tokens are minimal. You need to add an import of our Flutter package and instead of using the Http client from Flutter’s http package you use an ApproovClient instead.
This will automatically add special Approov tokens in the header of your API calls that will prove to a backend API that the call is really coming from your official app, and not anything else trying to spoof requests. You control what versions of the app are valid, and also what characteristics of the runtime environment are allowed.
Moreover, this will also enable certificate pinning in your app automatically to further heighten its security posture. You can manage the pins using the Approov cloud and changes are automatically sent down to your apps over the air, making it unnecessary to push a new version to the app store or to force an update. More details on Approov dynamic certificate pinning are available in the Approov documentation.
Approov has advanced detections for debugging, rooted and jailbroken devices, and the presence of certain frameworks that might be tampering with your app. You can choose to block apps running on such devices from receiving valid tokens by updating an Approov security policy.
Here are links to the different Quickstarts, and an insight into how easy the code changes for integrating Approov are:
Flutter HTTP Client: If your code uses the HTTPClient class from the dart:io library or the Flutter HTTP package, then all you need to do is to use ApproovHttpClient or ApproovClient instead. This automatically adds the Approov token to all of your requests and deals with pinning.
Flutter GraphQL Todo App: This is an Approov integration example for a mobile app built with Flutter and using GraphQL and WebSockets. Simply use our modified drop in replacement packages and adding Approov tokens to all of your requests and pinning is taken care of.
Flutter Elixir Phoenix Channels Echo-Chamber App: This is an Approov Quickstart with a mobile app built with Flutter, demonstrating GraphQL subscriptions and using a backend with Elixir Phoenix Channels. All that is required is to use our modified drop in replacement packages and adding Approov tokens to all of your requests and pinning is automatic.
If you have any questions around why or how to use Approov in your project or if there are other platforms you would like to see supported then please get in touch.