Flutter protects your APP data security

original

https://medium.com/@mohammadEzzo/securing-flutter-apps-3cd1aedda088

refer to

• https://www.guardsquare.com/en/blog/iOS-SSL-certificate-pinning-bypassing
• https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
• https://www.freecodecamp.org/news/what-is-tls-transport-layer-security-encryption-explained-in-plain-english/

text

Currently, most applications include payment or storage of some important personal data, which increases the risk of data being exploited or exposed by attackers.

In this article, I will talk about the most effective practices to minimize the risk of any security vulnerabilities in Flutter applications and set up as many roadblocks as possible in any attacker's way. Of course, this does not guarantee that your application is 100% secure.

let us begin

Protect the communication layer

https://www.guardsquare.com/en/blog/ios-ssl-certificate-pinning-bypassing

When an attacker locks an application, one of the first things to do is to see if passed between the application and the server backend.

1- Use high encryption:

You can SSL and TLS , which are easy to add to your code and difficult to compromise.

If you are dealing with particularly sensitive data, you may even need to take it a step further and build a VPN-like solution in your application.

2- Limit network traffic

One way to limit network traffic or connections to insecure endpoints is to explicitly whitelist domain names.

To do this, in the flutter application, we need to do some steps for each platform:

android :

go to the android folder and create this file under

Go to the android folder and create the following files

res/xml/network_security_config.xml

Then copy this and add it to the created xml file:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">YOURDOMAIN.com</domain>
        <trust-anchors>
            <certificates src="@raw/YOURCERTIFICATE"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

for ios:

add this to the info.plist file:

Add this to the info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <false/>
  <key>NSExceptionDomains</key>
  <dict>
    <key>YOURDOMAIN.com</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>

YOURDOMAIN.com with your server domain name.

Doing so will ensure that your application is not allowed to communicate with any other domains.

3- Approval certificate

SSL pinning solves the MITM (Man In The Middle) attack.

How did you do it?

In simple language, you will obtain a server certificate file from the back-end developer and pin the certificate to each API call. Therefore, the HTTP client will treat this certificate as a trusted certificate. Now, if MITM appears and the application gets some wrong certificates, then the API call will be interrupted due to a handshake error.

So let's implement this Flutter:

The most likely certificate extension will be. ".Cef" But this extension is not readable in flutter, so we need to convert it to ".pem" using this command.

_openssl x509 -inform der -in_ Certificate_.cer -out_ Certificate_.pem_

A certificate is a file name that you can use yourself.

Then add the certificate as an asset to pubspec.yaml .

Now using the Dio package, we can manage all requests in the application:

final dio = Dio(); ByteData bytes = await rootBundle.load('assets/Certificate.pem');
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate  = (client) {
  SecurityContext sc = SecurityContext();
  sc.setTrustedCertificatesBytes(bytes.buffer.asUint8List());
  HttpClient httpClient = HttpClient(context: sc);
  return httpClient;
};

In this code, we read the certificate from the asset and add it as a trusted certificate to the http client of the dio instance.

Now, when using this dio instance to make any request to another server, because the server's certificate is invalid, we will get a handshake error.

4- Make the identity authentication invulnerable

In addition to the data flow of your application, the next most common attack vector is any weakness in its authentication method.

Therefore, two-factor authentication with the server is necessary and worthwhile.

In addition, you also need to pay attention to how to deal with things like key exchanges. At the very least, you should use encryption to keep these transactions safe.

• So far, we have tried our best to protect the transport layer with the server.

Now we begin to protect the application itself.

Protection application

Basic understanding of Android app. Source — Pranay Airan .

1- Fuzzy coding

The compiled binary file and application code can be reverse engineered. The contents that can be exposed include strings, method and class names, and API keys. These data are either in raw form or in plain text form.

• What you can do is to create your apk when --obfuscate

flutter build appbundle --obfuscate --split-debug-info=/<directory>

From a local perspective, you need to deal with this problem in the following ways:

android

In the /android/app/build.gradle file, add the following content:

android {
    ...
    buildTypes {
        release {
            signingConfig signingConfigs.release
            minifyEnabled true
            useProguard true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

Create a ProGuard profile in /android/app/proguard-rules.pro

# Flutter
-keep class io.flutter.app. { *; }
-keep class io.flutter.plugin.  { *; }
-keep class io.flutter.util.  { *; }
-keep class io.flutter.view.  { *; }
-keep class io.flutter.  { *; }
-keep class io.flutter.plugins.  { *; }

With ProGuard, it can not only obscure your code, but also help you reduce the size of your Android application.

iOS

If you use Objective-C or Swift to compile iOS, the compiler will remove these symbols and optimize your code, which makes it difficult for attackers to read the compiled output of your code.

There are also some paid tools that can help you obfuscate the code: iXGuard and Vermatrix .

2- Jailbroken and rooted devices

Jailbroken iOS and Android devices have more privileges and may bring malware to the user's device, thereby bypassing the normal operation of the device.

flutter_jailbreak_detection is a software package that can help you detect whether your application is running on a jailbroken or rooted device,

It is used on Android Rootbeer ON Android, and DTTJailbreakDetection , for use on iOS DTTJailbreakDetection .

And it's easy to use:

import 'package:flutter_jailbreak_detection/flutter_jailbreak_detection.dart';

bool jailbroken = await FlutterJailbreakDetection.jailbroken;
bool developerMode = await FlutterJailbreakDetection.developerMode; _// android only._

https://pub.dev/packages/flutter_jailbreak_detection

3- Protect user information

In order to store sensitive user data, you should not use shared preferences or sqflite, because it is easy to open on any device, because you need to encrypt the stored data, you can use flutter_secure_storage .

https://pub.dev/packages/flutter_secure_storage

This package uses the Android Keystore and iOS Keychains.

It is also worth setting a periodic time to automatically clear the expired data cache.

4. Use local authentication

Suppose the user's phone is stolen, and your application is already installed on the phone, and it has some payment information :)

In order to prevent any access to your application, you should use this package for biometric authentication.

https://pub.dev/packages/local_auth

5- Background snapshot prevention

When an application is backgrounded, the operating system takes a snapshot of the last visible state in the task switcher. Therefore, it is very necessary to prevent the background snapshot from capturing the account balance and payment details.

This problem can be solved with this secure_application

https://pub.dev/packages/secure_application

His plug-in allows you to protect your application content from being clicked to view.

Summarize

Ultimately, as a developer, this is what everyone wants of you.

I also want to mention "How to protect your Flutter application?" is the most common question for mobile app developers in job interviews, so I hope this will be useful.

© Cat brother

• https://ducafecat.tech/
• https://github.com/ducafecat
• WeChat group ducafecat
• b Station https://space.bilibili.com/404904528