As app publishers look to reduce development time, lower costs, and standardize user experiences across platforms, mobile app development teams have increasingly turned to hybrid development. Flutter – a cross-platform mobile app software development kit – enables app developers to build native, hybrid apps for Android, iOS, and other platforms using a single codebase.
Clearly, Flutter presents a number of benefits for mobile app developers. But an area that should not be overlooked is the security risks that still exist since a streamlined approach to mobile app development doesn’t prevent malicious actors from reverse engineering or tampering with your app.
Why is protecting hybrid apps needed now? An increasing number of companies are adopting Flutter across industries, including financial services, healthcare, media, entertainment, e-commerce and retail. Growing popularity means more money at stake, so malicious actors are increasingly attacking Flutter apps using reverse engineering and tampering for financial gains, to steal IP, and more. Many in the Flutter community recognized the need for adequate app security, and Guardsquare had the mobile app security expertise to deliver a solution. After hearing the Flutter community was looking for a solution to mitigate these risks, Guardsquare has extended its mobile app protection solutions, DexGuard (Android) and iXGuard (iOS), to support application hardening capabilities for Flutter apps.
The Growth of Flutter
The growth of hybrid mobile development is rooted in app publishers’ efforts to more cost-efficiently support both iOS and Android devices while still delivering highly performant apps. This is where JavaScript frameworks, like React Native, Cordova, and Ionic, can fall short; though these frameworks streamline cross-platform development, they often sacrifice app performance because they’re not compiled into native code.
Flutter is seeing steady adoption because the framework enables developers to build high-performance native apps with fewer resources required than developing separate apps using native tooling. And, since most mobile apps are offered on multiple mobile platforms, leveraging a cross-platform development kit ensures a consistent user experience.
But there is, admittedly, a challenge with Flutter. Since Flutter hybrid apps are compiled directly into native code, there’s a perception that they’re more secure. The reality, however, is different. Attackers who know how to reverse engineer binaries can easily target Flutter apps as well. After all, these native apps still require access to operating system functionality via system libraries, which introduces additional risks.
Similar to other programming languages like Kotlin, Dart (the programming language used within the Flutter framework), generates a lot of metadata which exposes quite a bit of sensitive data about the inner workings of the app. Malicious actors can utilize this information to reverse engineer the app.
Last, but not least, every Flutter app is shipped with the Flutter engine, which is in charge of rendering the UI, dealing with system I/O, and more. This engine can easily get swapped out by malicious actors to generate totally different app behavior without modifying the source code. If not addressed properly with application hardening, these aspects specific to Flutter could pose significant risks to app publishers.
TL;DR: Flutter is a more cost-effective way to build native apps, but since Flutter has the same attack surface as traditional mobile apps, application hardening is essential to protect against reverse engineering and tampering. These types of attacks can have a negative business impact such as financial losses, brand damages, IP theft and more.
Introducing Flutter Mobile App Protection
With the latest releases of DexGuard and iXGuard, Guardsquare enables app developers to protect their Flutter code with post-processing compiler tools. Support for Flutter, much like Guardsquare’s JavaScript obfuscator, helps development teams better protect their mobile apps, regardless of which technology they use to build them.
By leveraging Guardsquare’s protection solutions, mobile apps built on Flutter benefit from:
Several Layers of Obfuscation
Some developers consider implementing custom security measures using the app shrinker and obfuscator that ships with Flutter, but this approach provides just a single layer of protection and that is not enough to shield mobile apps. Instead, Guardsquare’s solutions automatically apply several layers of obfuscation to better protect Flutter apps from reverse engineering and static attacks.
Additionally, the protections that DexGuard and iXGuard provide are applied differently with every new build; known as polymorphic protection, it essentially resets the clock on malicious actors with every new release of your app
Runtime Application Self-Protection (RASP)
Along with code obfuscation to defend against static attacks, the protections inject runtime application self-protection (RASP) checks into Flutter apps as well. Guardsquare’s solutions can detect debuggers, rooted or jailbroken devices, and ensure code integrity, among others, while protected Flutter apps are actively used.
Mobile App Security Expertise
Guardsquare’s team of security experts are constantly monitoring the evolving threat landscape to stay ahead of malicious actors. Doing so allows DexGuard and iXGuard to be updated to protect your app in the ever-evolving security landscape. This level of security is time-consuming for mobile development teams to implement on their own, so it makes sense to leave it to mobile app security experts.
Get Started Fast
Best of all, it’s easy to get started. Flutter support is fully embedded in both DexGuard and iXGuard, so developers can include their Flutter security configuration in addition to the native Android (Kotlin/Java) and iOS (Swift/Objective-C) code.
Comprehensive Mobile Protection
Guardsquare delivers comprehensive security tooling for mobile application development teams. With Flutter Guardsquare support, DexGuard and iXGuard continue to provide developer-friendly security solutions to protect hybrid mobile apps, regardless of how they’re built and where they’re published.
*Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC