As the popularity of Flutter apps grows due to factors describe in my previous posts, customers are asking many questions related to the security of their data. It is not uncommon for clients to inquire about the security measures in place during presales conversations. In this article, I will try to show the approach to the best practices for securing Flutter applications and minimizing the risk of security exploits. Based on top 10 OWASP mobile security risk, we will also explore how to address any vulnerabilities that may arise.
OWASP Mobile Application security
The OWASP Mobile Application Security project aims to establish a security standard for mobile apps and provide a comprehensive testing guide for mobile app security testing and reverse engineering. The focus of the project is to identify and address the security vulnerabilities that are specific to mobile applications, and to provide guidance on best practices for securing mobile apps.
Improper platform usage
This risk involves the misuse of platform features or the failure to use platform security controls. This can include Android intents, platform permissions, and other vulnerabilities that could compromise the security of the application. To mitigate this risk, developers should ensure that they are using platform features and security controls correctly and avoiding any misuse that could result in a security breach. As an example of those, I can give an improper use of Android intents or platform permissions, on iOS: misuse of TouchID or the Keychain. To avoid this risk, what we do is:
- we follow best practices and guidelines for platform development (or even platforms, i.e. Android and iOS in addition to Flutter)
- we limit file access permissions
- we secure configuration and code, both on the application side and backend services
- we configure our in-app services in such a way, that user data is not transferred
- we encrypt and store data securely, using native/embedded mechanisms.
Our team keeps Flutter SDK always up to date, the same as all libraries used in projects, also we are keeeping ourselves updated with latest changes of guidelines for publishing apps for both Android and iOS, along with security guidelines published by Flutter team.
Insecure data storage
This risk involves storing sensitive data on the device in an insecure manner, making it vulnerable to attackers who can easily exploit stolen device. Examples of insecure data storage include storing data in plain text, using weak encryption, and storing data in publicly accessible locations on the device.
To overcome this risk, developers can use secure coding techniques - like encryption - to protect sensitive data stored on the device. Additionally, they can use secure storage solutions like Android’s KeyStore and Apple’s Keychain to protect sensitive data. It is also important to avoid using poor encryption libraries, as this can leave the data vulnerable to attacks. Finally, developers should perform regular security audits and tests to identify any vulnerabilities and mitigate them before they can be exploited.
To avoid this risk, we:
- encrypt all vulerable data effectively
- using code obfuscation
- try to avoid storing and caching data, and as alternate using server-side based solutions There is a lot of data, which mobile application can use and store or cache, like usernames, tokens, passwords, cookies, etc., but we are also paying attentions to other types of data, which might be revealed, like applications logs, messages, and other development related stuff.
Insecure communication
Most mobile applications exchange the data in a client-server scheme. When this communication happens, data traverses either the GSM or WiFi network and the internet. If communications lack encryption, then an attacker will be able to not only steal the data, but also to execute Man-in-the-Middle (MitM) attacks. The best solutions to mitigate this threat is for sure are:
- applying SSL/TLS protocol to transport channels to encrypt data transmission
- using strong authentication methods
- implementing multi-factor authentication (MFA) to protect against unauthorized access
To protect against potential vulnerabilities, it is recommended to do regular security audits and tests. Additionally, developers should ensure, that they are using the latest security protocols and libraries, as older versions may have known vulnerabilities that can be exploited by attackers.
The most common approach to handle this risk, which we are also using, is to apply mechanism called certificate and public key pinning. Basically, it’s a method that depends on server certificate verification on the client side. It requires the server certificate to be previously known to the mobile app. When a connection is made with the server, the app compares both pinned and remote server certificates. If they are identical - the connection is valid.
Insecure Authentication
The fourth risk involves the use of weak or vulnerable authentication methods, that can be easily exploited by attackers to gain unauthorized access to the application, its data, or backend services. Using insecure authentication, like the use of low-complexity, short or dictionary passwords, storaging passwords in plain text, or use of insecure authentication protocols, are most common examples. What to do to avoid above? There are a few approaches:
- avoid local authentication methods, and push this responsibility to server
- don’t store vulnerable data (like passwords) locally
- implement multi-factor authentication
As a developers, we always remember also about protection of our identity. The team has developed several methods to protect their data, therefore storing sensitive data like keys, keystores, configuration data is happening either locally for each developer, or via encrypted form.
Client code quality
Last, but not least, is the risk involving the use of poor coding practices. Client code quality issues arise, when third-party libraries used in project are passing untrusted code as inputs for the app to be executed. Hackers can exploit those issues to execute malicious code. If application relies on a local/remote database, SQL injection is still possible, and SQLite database is likely not secure enough for sensitive data.
Consistent coding patterns, coding style guidelines widely accepted within the team and the organization, will help improve code quality. We introduced and systematized a set of best practices some time ago in our team, and every new team member is familiarized with them during the onboarding process. When writing code, we pay attention to minimizing access to data and functions available to the user. Receiving bad input is always a case for unit testing. A simple mitigation method here is also a good code review process. We can enforce an impact of code review with static analysis tools, that can often detect poor coding practices.
Flutter security - recap
As you can see, there is a lot to think about when it comes to securing mobile app, especially such specific like banking one. I went through risks pretty shallow, but every development team focused on delivefry of secure mobile application should investigate those topic very thoroughly.
Although, security is a crucial aspect of mobile apps, particularly as they handle sensitive financial and personal data, like fintech nad banking ones. Developers must ensure, that their applications are secure from potential threats.
Overall, security should be a top priority for banking and fintech companies, and especially developers building mobile apps in Flutter. By implementing robust security measures and conducting regular security audits, they can help protect users’ sensitive data and build trust with their customers.