The original
medium.com/@mohammadEz…
reference
- www.guardsquare.com/en/blog/iOS…
- www.freecodecamp.org/news/openss…
- www.freecodecamp.org/news/what-i…
The body of the
Currently, most apps contain payments or store some important personal data, increasing the risk that the data could be exploited or exposed by attackers.
In this article, I will talk about the most effective practices to minimize the risk of any security breach in the Flutter application and to set up as many roadblocks as possible in any attacker’s way. Of course, this doesn’t guarantee that your application is 100% secure.
Let’s get started
Protective communication layer
www.guardsquare.com/en/blog/ios…
When an attacker locks down an application, one of the first things they do is see if they can intercept any data passing between the application and the server back end.
1- Use high encryption:
You can do this by using protocols like SSL and TLS, which are easy to add to your code and hard to compromise.
If you’re dealing with particularly sensitive data, you might even need to go a step further and build a VPN-like solution into your application.
2- Limit network traffic
One way to limit network traffic or connections to insecure endpoints is to explicitly whitelist domain names.
To do this in the Flutter app, we need to do a few steps for each platform:
android :
go to the android folder and create this file under
Go to the Android folder and create the following file
res/xml/network_security_config.xml
Copy the code
Then copy this and add it to the created XML file:
<? xml version="1.0" encoding="utf-8"? > <network-security-config> <domain-config> <domain includeSubdomains="true">YOURDOMAIN.com</domain>
<trust-anchors>
<certificates src="@raw/YOURCERTIFICATE"/>
</trust-anchors>
</domain-config>
</network-security-config>
Copy the code
for ios:
add this to the info.plist file:
Add this to the info.plist file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>YOURDOMAIN.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
Copy the code
Then replace YOURDOMAIN.com with your server domain name.
Doing so ensures that your application is not allowed to communicate with any other domain.
3- Certificate of Recognition
SSL pinning tackles The MITM (Man In The Middle) attack.
How did you do that?
In a simple language, you would get a server certificate file from a back-end developer and pin the certificate to each API call. Therefore, the HTTP client will treat this certificate as a trusted certificate. Now, if MITM occurs and the application gets some incorrect certificates, the API call will be interrupted due to the incorrect handshake.
So let’s implement this Flutter:
The most likely certificate extension will be. “.cef “but this extension is not readable in flutter, so we need to convert it to”.pem “using this command.
_openssl x509 -inform der -in_ Certificate_.cer -out_ Certificate_.pem_
Copy the code
A certificate is a file name that you can use yourself.
The certificate is then added as an asset to Pubspec.yaml.
Now with the Dio package, we can manage all requests in the application:
final dio = Dio(); ByteData bytes = await rootBundle.load('assets/Certificate.pem');
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate = (client) {
SecurityContext sc = SecurityContext();
sc.setTrustedCertificatesBytes(bytes.buffer.asUint8List());
HttpClient httpClient = HttpClient(context: sc);
return httpClient;
};
Copy the code
In this code, we read the certificate from the asset and add it to the HTTP client of the DIO instance as a trusted certificate.
Now, when making any request to another server using this DIO instance, we will get a handshake error because the server’s certificate is invalid.
4- Make your identity bulletproof
In addition to your application’s data stream, the next most common attack vector is any weakness in its authentication method.
Therefore, two-factor authentication with the server is both necessary and desirable.
In addition, you need to be careful how you handle things like key exchanges. At a minimum, you should use encryption to keep these transactions secure.
- So far, we have done our best to secure the transport layer with the server.
Now let’s start protecting the application itself.
protection
Basic knowledge of Android app. Source — Pranay Airan.
1- Fuzzy coding
The compiled binaries and application code can be reverse-engineered. The things you can expose include strings, method and class names, and API keys. The data is either in raw form or plain text.
- What you can do is use
--obfuscate
Parameter when creating your APK.
flutter build appbundle --obfuscate --split-debug-info=/<directory>
Copy the code
From a local perspective, you need to deal with this by:
android
In the/android/app/build. Gradle file, add the following content:
android {
...
buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled true
useProguard true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'}}}Copy the code
Create a ProGuard profile in/Android /app/ proGuard-rules.pro:
# Flutter
-keep class io.flutter.app. {*; } -keepclass io.flutter.plugin. {*; } -keepclass io.flutter.util. {*; } -keepclass io.flutter.view. {*; } -keepclass io.flutter. {*; } -keepclass io.flutter.plugins. {*; }Copy the code
With ProGuard, it not only obfuscates your code, it also helps you reduce the size of your Android apps.
iOS
If you compile iOS using Objective-C or Swift, the compiler will remove these symbols and optimize your code, making it difficult for an attacker to read the compiled output of your code.
There are also paid tools that help you blur your code: iXGuard and Vermatrix.
2- Jailbreak and rooting equipment
Jailbroken iOS and Android devices have more privileges that can bring malicious software to users’ devices to bypass their normal operation.
Flutter_jailbreak_detection is a software package that helps you detect whether your app is running on a jailbroken or grounded device.
It uses RootBeer on Android, and DTTJailbreakDetection on Android, and DTTJailbreakDetection on iOS.
And it’s easy to use:
import 'package:flutter_jailbreak_detection/flutter_jailbreak_detection.dart';
bool jailbroken = await FlutterJailbreakDetection.jailbroken;
bool developerMode = await FlutterJailbreakDetection.developerMode; _// android only._
Copy the code
Pub. Dev/packages/fl…
3- Protect user data
To store sensitive user data, you should not use shared preferences or SQFlite because it is easy to open on any device and because you need to encrypt stored data, you can use Flutter_secure_storage instead.
Pub. Dev/packages/fl…
This package uses Keystore for Android and Keychains for iOS.
It is also worth setting a periodic time to automatically clear expired data caches.
4. Use local authentication
Suppose the user’s phone is stolen and your application is already installed on the phone and it has some payment information 🙂
To prevent any access to your application, you should use this package using biometric authentication.
Pub. Dev/packages/lo…
5- Background snap prevention
When an application is contextualized, the operating system takes a snapshot of the last visible state in the task switcher. Therefore, preventing background snapshots from capturing account balances and payment details is highly desirable.
The secure_application package solves this problem
Pub. Dev/packages/se…
His plugin allows you to protect your app’s content from being clicked to view.
conclusion
Ultimately, as a developer, that’s what everyone expects of you.
I also want to mention “How do I protect your Flutter application?” Is the most common question mobile app developers ask in job interviews, so I hope this will be useful.
The elder brother of the © cat
-
ducafecat.tech/
-
github.com/ducafecat
-
Ducafecat WeChat group
-
B station space.bilibili.com/404904528