Flutter Tutorial

How to secure flutter application code

secure flutter application

Today, we learn how to secure flutter application code because most applications contain payments in our app and store user personal data. And that increases the risk of security exploit of data to attackers. So that is this flutter article we learn how to secure flutter application code.

In this article, I will discuss the practices to minimize the risk for any security exploits in Flutter. And putting as many roadblocks in an attacker’s way as possible. but does not guarantee that your app is 100% secure.

Securing Flutter application.

So let’s start to learn and make securing your App for ethical hacking. with the following steps to make a Securing Flutter application code and Apps.

Protecting the communication Layer.

One of the first things an attacker will look for when targeting an app is to see if they can intercept any of the data passing between it and your server’s backend.

Protecting the communication Layer.

Employing strong encryption:

For Employing strong encryption you can use the following protocols like SSL and TLS.  Which is simple to add to your code and is very difficult to compromise. If you are dealing with particularly sensitive data,  you want to go a little further and build a VPN-type solution right into your app.

Restricting network traffic.

One way to restrict network traffic or connection to an unsecured endpoint is through explicitly whitelisting your domain. to do that in the flutter app we need to do some steps for each platform :

 Secure flutter application code.

android :

For Android, you go to the android folder and create this file under Resource XML.

res/xml/network_security_config.xml

then copy this and add it to the created XML file:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">codeplayon.com</domain>
        <trust-anchors>
            <certificates src="@raw/YOURCERTIFICATE"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

for ios:

add this to the info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <false/>
  <key>NSExceptionDomains</key>
  <dict>
    <key>codeplayon.com</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>

then replace codeplayon.com with your server domain. Doing this will ensure that your application will not be allowed to communicate with any other domain.

SSL Certificate Pinning for secure flutter application code 

SSL certificate pinning solves the Man In The Middle (MITM) attack and makes Securing Flutter application.

How to solve the Man In The Middle (MITM) attack?

In simple language, you will get a server certificate file from the backend developer, and you will pin the certificate in every API call. So the HTTP client will take this certificate as a trustable one. Now if MITM takes place and the app gets some bad certificate, the API calls will be broken due to a Handshake error.

So that let’s implement SSL Pinning in flutter most probably the certificate extension will be ( .cer ) but this extension is not readable in flutter so that we need to convert a file into “.pem” by using this command.

openssl x509 -inform der -in Certificate.cer -out Certificate.pem

A certificate is the file name you can use on your own.

after that add the certificate as an asset and add it to the pubspec.yaml.

Now using the Dio package we will manage all the requests in the app :

final dio = Dio(); ByteData bytes = await rootBundle.load('assets/Certificate.pem');  
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate  = (client) {     
 SecurityContext sc = SecurityContext();    
  sc.setTrustedCertificatesBytes(bytes.buffer.asUint8List());    
  HttpClient httpClient = HttpClient(context: sc);  
    return httpClient;    };

in this code, we are reading the certificate from the assets and adding it as a trusted certificate to the HTTP client of the dio instance. Now when using this dio instance to make any request to another server we will get a handshake error due to the invalid certificate for the server.

Make Authentication Bulletproof

Besides your flutter app’s data streams, the next most common attack is the vector to eliminate. It is no weakness in its authentication methods. so that two-factor authentication with your server is both necessary and worth implementing.

 Also, need to pay attention to how you handle things like key and data exchanges. At a minimum, you should be using encryption data to keep those data transactions secure. Till now we had made our best to protect the transport layer with the server.

Flutter Obfuscate Code optimization:- Read More