How Do I Protect My Flutter App?

Google’s open source Flutter has quickly become one of the most popular development toolkits for building cross platform mobile applications. In this article we will examine what security is built-in to Flutter mobile apps and recommend additional layers which you may wish to consider for your mobile projects.

What Mobile App/API Threats Should I be Concerned About?

There are three main threat vectors that should be considered when you are deploying mobile apps:

• Scripts: Software operated by hackers that generates API requests which look identical to those that your mobile app produces and which include valid credentials such as API keys, usernames/passwords and/or OAuth tokens. These scripts bypass your mobile app and attack your backend systems through your APIs with the intention of extracting data, committing fraud or bringing down your services.
• Modified apps: Repackaged apps where your mobile apps have been changed by hackers in order to do something different from what was intended. If genuine users can be tricked into installing such modified apps then personal data may be stolen or fraudulent transactions may take place.
• Manipulated apps: Genuine mobile apps running on compromised mobile devices under the control of hackers may be used to intercept or manipulate data in your apps to commit fraud.

Looking at the list above you might have expected to see some other security issues, for example:

• Vulnerabilities in the app code: These are bugs in your software which could be exploited to enable hackers to access data in your mobile apps. Almost all vulnerability exploits are carried out via scripts as described above. 
• Reverse engineering of the app code: This allows hackers to extract useful secrets such as API keys and hardcoded URLs which provide the required credentials to make effective scripts, as described above. It also enables modification and repackaging of mobile app code, also described above.

It is therefore clear that if you can prevent the 3 main threat vectors of scripts, modified apps and manipulated apps then you are protecting yourself against the negative consequences of vulnerabilities in your code and reverse engineering of your code. 

In other words, if you are able to put a shield around your mobile app/device and around the APIs that service your apps, you will be protected against those three key threat vectors.

How Does Flutter Help With These Identified Threats?

As you might expect from Google, the Flutter platform does have a number of security features in it as standard and together they do provide some protection. Specifically:

• Obfuscation: There is a Flutter obfuscation capability to make reverse engineering the app code more difficult, but unfortunately this only covers Dart code. Therefore you may wish to consider a 3rd party code obfuscation tool; free and commercial options exist.
• TLS and certificate pinning: It’s good to see that security of APIs that service Flutter apps is well supported. However, it should be noted that certificate pinning can be bypassed by a determined hacker. For more details on this and how to implement effective protection against Man-in-the-Middle attacks on your APIs, check out our whitepaper on this topic.
• Secure storage: Again, it’s great to see a good quality mechanism to store sensitive data at rest. The problem of course is that this data will spend some time in transit and it needs to be protected then as well. Effective certificate pinning is helpful here, especially if it is alongside off-device storage of secrets. We have a whitepaper in this area too.
• Root/jailbreak detection: In the early days of mobile apps, root and jailbreak was quite rare and so it was reasonable to assume that anybody doing that was likely to be a bad actor. Hence it is good that Flutter has such a detection within it. However, these days everything has many more shades of grey. There are multiple legitimate reasons for rooting and jailbreaking mobile devices so in most business situations it is not acceptable to block on this basis alone. It is necessary instead to implement a much more nuanced position where a series of factors are considered alongside the root/jailbreak detection to identify nefarious activity.

While these in-built capabilities are a good first step, when considering the main threats against a mobile business, it should be clear that they are not enough. A specialist mobile app and API security platform, if fully compatible and integrated into Flutter, will provide comprehensive security on day 1 but also on all subsequent days as existing threats evolve and new ones emerge. 

Recommendations

A mobile development platform is designed for the rapid and efficient creation of mobile apps. It is not reasonable to expect that such a platform can deliver all the required security that your mobile business needs.

In fact, since keeping up to date with global threats is already a full-time occupation, it would frankly be dangerous to believe that a mobile development platform could remain secure over time. 

In the first instance, use a security solution that immediately shields your mobile app and its APIs. If you can ensure that only genuine instances of your mobile app, running on safe mobile devices, can use your APIs, you have implemented an effective shield that will protect you from all scripts, modified apps and manipulated apps. 

Approov can help you achieve this goal and has Flutter support available out of the box. You’ll find Approov easy to integrate and simple to deploy in a Flutter context. 

Contact us today and speak to one of our security experts to get a clear understanding of how we can help you to protect your users and your business.