Free Mobile App Security Testing for Flutter Developers

While Flutter enables you to rapidly create beautiful and high-performing apps for Android and iOS, it doesn’t automatically guarantee your app’s security. So, how can you ensure your Flutter mobile app is safe, resilient, and free from vulnerabilities - without dealing with complex or costly setups?

This is where AppSweep comes in. Flutter's impressive versatility results in app bundles with an architecture that many analysis tools do not support. As a result, testing Flutter apps with conventional mobile app security analysis software often only reveals a few platform-independent issues. In addition, the internal structure of apps is not stable across even minor version updates. Analysis tools could stop working, or worse, provide a false sense of security. AppSweep now offers dedicated scanning capabilities for Flutter mobile apps, including the latest version, Flutter 3.27. Our team is committed to ensuring compatibility by updating AppSweep promptly with each new Flutter release.

With just a few clicks, you can create an AppSweep account, upload your app, and run a comprehensive security scan. No complicated configurations, no fees - just fast, actionable insights to help you understand and address potential risks. AppSweep ensures your app is secure before it reaches your users, giving you peace of mind without interrupting your development workflow.

In this blog post, we’ll walk you through how to scan your app for free in just minutes and review the actionable results AppSweep provides to enhance your mobile app security posture. We’ll also showcase examples of findings your app might have and explain why addressing these issues is crucial for safeguarding your product and your reputation.

How to scan Flutter mobile apps

AppSweep can analyze Flutter mobile apps for both Android and iOS. There are two ways to start the analysis. Either, you can upload the app’s archive manually via the web or use the command line interface (CLI). Uploading via the web is easy to quickly check the state of an app; CLI is the best option to perform analysis automatically as part of the build or release process, for example with continuous integration (CI).

Neither approach requires you to upload any source code to AppSweep, since AppSweep works on the release bundles. These are the same files you will upload to the app store, which will then be distributed to the users.

Manual upload

First, you need to create a release build. For Android apps that is the following command:

flutter build apk --release

For iOS apps, this is the command:

flutter build ios --release

The result is an .apk archive for Android and an .ipa file for the iOS app. It is important to create a release build (the default), otherwise, the app cannot be analyzed.

Next, navigate to AppSweep and create an account. In the following upload screen, select Android or iOS, upload your .apk or .ipa, and briefly wait for the analysis to finish.

This can take between a few seconds up to a few minutes, depending on the size and structure of your app. After that, AppSweep displays the results of the scan.

Automated upload

Another option is to add AppSweep as a part of your build pipeline using the CLI. To use the CLI, navigate to the “App Settings” in the project you want to use, and create an API key. This key should be stored in an environment variable called APPSWEEP_API_KEY.

You can then create a new scan with the CLI:

The CLI also accepts many options, e.g. --browser to directly open a browser with the scan result. See the documentation for a full reference.

To benefit from regular scanning, you can add this command to your build system, and regularly upload a newly built app for scanning.

Viewing the results

Once your scan has finished, you can view the results directly in AppSweep.

AppSweep will show you a concise summary of what it found in your application, as well as a detailed list. You can easily filter the list, and drill down further into each finding, to get a detailed explanation on why this is a problem, and what you can do about it.

Flutter mobile app security issues

AppSweep analyzes all of the parts of an app, including libraries and meta data generated by Flutter like the AndroidManifest.xml file. This might result in more findings than you expected. For example, your app could include a native library from a third party. So, how can you identify Flutter-specific security issues in AppSweep?

Findings in Dart code are marked with a small Flutter logo next to the description:

By clicking on this line, you can inspect all findings of that type to see their exact location in your code, and get recommendations on how to improve or fix the issues.

Let's look at some examples of findings in Flutter apps.

SQL injections

Although mostly known from web applications, SQL injections can be an issue in Flutter mobile apps, too.

In this sql_example function, the function SqfliteDatabaseExecutorMixin.rawQuery is called with a parameter that is only known at runtime. If an attacker is able to manipulate that value, for example by choosing a malicious username, they might be able to extract or modify arbitrary data in that database.

Insecure cryptography

A common issue is the usage of outdated or weak cryptographic operations. For example, the MD5 algorithm is known to be insecure, because attackers can generate collisions (different data with the same MD5 hash value) easily. If your app uses weak hashing algorithms, AppSweep will identify it. Here is what such a finding looks like:

You can see that in the hash_example function, there is a call to MD5() that was flagged. If possible, this call should be replaced with a more modern alternative. AppSweep will give you recommendations - in this case, to use SHA-256 instead.

API key leakage

It can be difficult to ensure that an app does not contain any secret API keys that should not be made public. For example, if a developer forgot to remove their personal API access token, in a release build, it can be trivial for attackers to extract this information from the bundle and misuse the key.

AppSweep will flag known key formats and point you to its usage.

Data leaks

Flutter apps can have access to sensitive information, for example the user’s location or personal information. This information should be handled securely and not leaked to log files or to insecure storage. This is an example of a finding that shows a data flow from a sensitive data source (a location) to an insecure sink:

All such data flows should be reviewed carefully to ensure if this is intended behavior or not.

Secure your Flutter mobile app with AppSweep

Securing your Flutter mobile app against vulnerabilities is key and can be easily achieved using AppSweep. With AppSweep, scanning your app for potential security issues is fast, free, and requires no complicated setup. Within minutes, you can upload your app and receive detailed insights to help you address risks and ensure your app is robust and secure before it reaches your users.

If you’re curious about the technical details of how mobile app security testing works or the unique challenges of analyzing Flutter apps, stay tuned! We’ll explore these topics in depth in upcoming blog posts, helping you gain a deeper understanding of app security and how to make your Flutter projects even more resilient.

Meanwhile, you can scan your Flutter app for free, now.