How Developers Secure Flutter™ Mobile Apps in 2022
The majority of companies now interact with their clients by using mobile apps. In fact, up to 75% of users will access the Internet only from their smart devices by 2025, according to a CNBC research. In turn, more bad actors will target mobile apps – through reverse engineering and tampering – to steal intellectual property, money, or sensitive data.
Mobile app market dynamics are also pushing companies to optimize the time and costs associated with development. Frameworks like React Native, Ionic, Cordova allow development teams to build mobile apps from a single codebase. Those tools make it easier to manage apps without the need for specialized iOS and Android teams, but they often introduce overheads that make cross-platform apps slower than native ones.
Flutter addresses these performance issues without compromising on the user experience. Using this modern framework, developers can create native apps that have the same look and feel across different screens and devices.
But, what about security?
We polled 300 developers on how they secure their Flutter apps. The results revealed that 75% of respondents underestimated mobile app security by doing nothing or, in the best-case scenario, by relying only on DIY techniques.
40% of respondents do nothing to improve Flutter mobile app security
The common misconception with these respondents is that Flutter apps are secure by design because they are compiled into native code. In reality, all mobile apps have a similar attack surface no matter the underlying technology used. Therefore, it’s crucial to implement app hardening measures that prevent intellectual property theft, financial fraud, or the leaking of user data.
Attacking Flutter apps might be even easier than targeting “standard” mobile apps. Because developers create them using a single codebase. So, if the cross-platform code has security issues, both Android and iOS apps inherit them. Additionally, the same Flutter engine is shipped along with all apps. Thus, a single hack can be enough to compromise multiple apps at once.
Another issue is the use of strings in your code. They can expose sensitive data if they are not encrypted. Examples are backend API URLs, API credentials, or decryption keys.
Moreover, bad actors can still tamper with your Flutter app while it is running. Attackers can install the Flutter app in insecure environments, like rooted or jailbroken devices. Then, using debuggers or hooking tools, they can alter the app's behavior. For example, the malicious actor could access premium content in media entertainment apps, bypassing licenses. They can also cheat in mobile games or commit fraud in financial services apps. Tampering with an app can even harm users, which could happen in mHealth apps that deliver treatments to patients.
35% of respondents use a DIY approach to secure their Flutter mobile apps
Code obfuscation alters an app's binary to make it more difficult for humans to understand its internals and behavior. Obfuscation hides, for example, names of functions, classes, the app control flow, and more.
While the Flutter SDK offers a native command like ProGuard to optimize, shrink and obfuscate apps, it's worth noting that the tool doesn’t obfuscate the app by default.
The respondents in this group enable Flutter name obfuscation, but this technique can be easily understood by experienced reverse engineers. Other developers in this group use open source libraries to add extra security checks. However, this DIY approach has some drawbacks, too.
Implementing security on your own can be a time-consuming and error-prone process. You need to update your app every time you release a new version. Open-source libraries can also be the source of security issues and, when vulnerabilities are identified and fixed, it can take years for the patched library to make its way into all the affected applications. You also need a dedicated team that researches the threat landscape to stay ahead of new attack techniques. Finally, manually implemented security checks are often much easier to bypass.
Protect Your Flutter Mobile Apps with Guardsquare
Even though Flutter mobile apps are native, they present risks similar to apps built with other technologies. Doing nothing about Flutter app security could have dangerous consequences for app publishers, such as a loss of revenue or damage to the company’s brand. Moreover, most DIY strategies are not resilient enough against those risks. Thus, developers should adopt automated and no-coding mobile app security tooling that protects Flutter apps.
Guardsquare’s mobile application shielding solutions apply code hardening and runtime application self-protection (RASP) to your Flutter apps with several layers of protection. By using a polymorphic approach, each new app release gets a new set of protections, forcing a potential bad actor to start the attack from scratch.
The mobile threat landscape keeps evolving, so Guardsquare’s engineers are constantly updating the protection techniques to stay ahead of malicious actors. This enables app publishers to improve their security posture without any additional effort. Finally, seamless integration into CI/CD pipelines allows developers to address security during the software development life cycle without any slowdown. This ensures app publishers can quickly deliver Flutter apps that are secure for both iOS and Android.