OWASP Top 10 For Flutter – M9: Insecure Data Storage in Flutter & Dart (cleaned copy)

Welcome back to our deep dive into the OWASP Mobile Top 10 for Flutter developers.

In earlier parts, we tackled:

In this ninth article, we focus on M9: Insecure Data Storage.

Let me start with a story that still makes me cringe.

A few years ago, I was doing a security review of a health-tracking app. I discovered that the developers stored complete medical records in a plain JSON file. No encryption. No access controls. Readable by anyone with a few minutes of physical access to the device.

The developers weren’t malicious. They simply didn’t realize that “saving to a file” on mobile isn’t like saving to a server behind a firewall.

Mobile devices get lost, stolen, backed up to cloud services, and sometimes compromised by malware. Every piece of data you store becomes a potential liability.

OWASP M9: Insecure Data Storage addresses exactly this problem.

It’s the improper protection of sensitive data at rest. It’s also one of the most common vulnerabilities in mobile apps.

Flutter’s cross-platform nature adds an extra layer of complexity.

When you call SharedPreferences.setString(), do you know where that data ends up on Android versus iOS? Do you know who can access it?

Let’s get into it.

Source code. All code examples from this article are available as a runnable Flutter project on GitHub:

flutterengineering_examples — M9 Insecure Data Storage

Understanding the Threat Landscape

Before we get to the solutions, it helps to understand what you’re defending against.

The threat isn’t abstract. There are real people (and automated tools) that go after insecure storage.

Who’s After Your Data?

You might be surprised how many different types of attackers care about what your app stores:

Who

Motivation

Attack Method

Hackers

Data extraction, credential theft

Reverse engineering, file system access

Malicious Insiders

Privilege abuse, data exfiltration

Direct database/file access

State-Sponsored Groups

Espionage, mass surveillance

Advanced persistent threats

Cybercriminals

Financial gain, ransomware

Malware, data selling on dark web

Competitors

Corporate espionage

Supply chain attacks, insider recruitment

Data Brokers

Selling personal information

Automated scraping of insecure apps

You might think your app isn’t a big enough target to worry about.

Automated tools don’t discriminate. A script that scans backups for stored credentials doesn’t care whether your app has 1,000 users or 1,000,000.

How Attackers Get Your Data

OWASP rates exploitability for insecure data storage as EASY. That’s the highest exploitability rating.

Physical device access: even a few minutes with an unlocked device can be enough.
Rooted/jailbroken devices: sandboxes don’t help. Privileged malware can read private storage.
Backup extraction: a common blind spot. iCloud or Google backups may include app data in plain text.
Malware: can read insecure storage on rooted devices. It can also abuse backup mechanisms.
Social engineering: trick users into installing apps that harvest stored data.

What Makes Flutter Apps Vulnerable?

The security weaknesses I see most often in Flutter apps fall into predictable patterns:

Flutter Storage Mechanisms: A Security Deep Dive

Before we get to solutions, it helps to understand what Flutter actually does on each platform.

Flutter gives you several ways to store local data. Each one has a different security profile.

The bad news: three of the four most commonly used options are insecure for sensitive data.

1. SharedPreferences / NSUserDefaults

SharedPreferences is the go-to solution for simple key-value pairs in Flutter.

It’s convenient. It’s also completely insecure for sensitive data.

I see it misused constantly. Developers store auth tokens, API keys, and sometimes even passwords here.

Here’s what that misuse looks like:

// ❌ INSECURE: Storing sensitive data in SharedPreferences
import 'package:shared_preferences/shared_preferences.dart';

class InsecureStorage {
  Future<void> storeCredentials(String username, String password) async {
    final prefs = await SharedPreferences.getInstance();

    // DANGER: Plain text storage!
    await prefs.setString('username', username);
    await prefs.setString('password', password);
    await prefs.setString('auth_token', 'eyJhbGciOiJIUzI1...');
    await prefs.setString('credit_card', '4111-1111-1111-1111');
  }
}

“But wait,” you might say, “isn’t app data protected by the OS sandbox?”

Technically yes. But you still need to know where the data ends up.

On Android, SharedPreferences are stored in XML files at:

/data/data/com.example.app/shared_prefs/FlutterSharedPreferences.xml

And the contents look like this:

<?xml version="1.0" encoding="utf-8"?>
<map>
    <string name="flutter.username">john_doe</string>
    <string name="flutter.password">MySecretPassword123!</string>
    <string name="flutter.auth_token">eyJhbGciOiJIUzI1...</string>
    <string name="flutter.credit_card">4111-1111-1111-1111</string>
</map>

On iOS, NSUserDefaults are stored in plist files at:

/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences/com.example.app.plist

Both locations are easily readable on rooted/jailbroken devices, through backup extraction, or with forensic tools.

The sandbox does not protect you against those attack vectors.

The rule is simple: SharedPreferences is for preferences (dark mode, language, onboarding completed). It’s not for secrets.

Example output (what an attacker sees after extraction):

[BAD] SharedPreferences stores data in PLAIN TEXT:
[BAD]   Android → /data/data/<pkg>/shared_prefs/FlutterSharedPreferences.xml
[BAD]   iOS    → /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences/<pkg>.plist
[BAD]
[BAD] Example XML content an attacker would see:
[BAD]   <string name="flutter.username">john_doe</string>
[BAD]   <string name="flutter.password">MySecretPassword123!</string>
[BAD]   <string name="flutter.auth_token">eyJhbGciOiJIUzI1...</string>
[BAD]   <string name="flutter.credit_card">4111-1111-1111-1111</string>

2. Local File Storage

Writing files to the app’s document or cache directory is another common pattern.

Without encryption, you are creating a readable archive of sensitive data.

// ❌ INSECURE: Storing sensitive files without encryption
import 'dart:convert';
import 'dart:io';
import 'package:path_provider/path_provider.dart';

class InsecureFileStorage {
  Future<void> saveUserProfile(Map<String, dynamic> profile) async {
    final directory = await getApplicationDocumentsDirectory();
    final file = File('${directory.path}/user_profile.json');

    // DANGER: Plain JSON with sensitive data!
    await file.writeAsString(jsonEncode(profile));
    // Contains: SSN, date of birth, address, etc.
  }

  Future<void> saveMedicalRecords(List<Map<String, dynamic>> records) async {
    final directory = await getApplicationDocumentsDirectory();
    final file = File('${directory.path}/medical_records.json');

    // DANGER: Health data unencrypted!
    await file.writeAsString(jsonEncode(records));
  }
}

I’ve seen this in production apps handling financial data, medical records, and legal documents.

The developers assumed that because the file was in “their app’s directory,” it was safe. It wasn’t.

Example output (plain JSON an attacker reads):

[BAD] Writing user profile as PLAIN JSON (no encryption):
[BAD]   File: <documents>/user_profile.json
[BAD]   Content:
[BAD]     {
[BAD]       "name": "John Doe",
[BAD]       "ssn": "123-45-6789",
[BAD]       "dob": "1990-01-15",
[BAD]       "address": "123 Main St, Springfield"
[BAD]     }
[BAD]
[BAD] Writing medical records as PLAIN JSON (no encryption):
[BAD]   File: <documents>/medical_records.json
[BAD]   Content:
[BAD]     [
[BAD]       {
[BAD]         "diagnosis": "Type 2 Diabetes",
[BAD]         "medication": "Metformin 500mg"
[BAD]       },
[BAD]       {
[BAD]         "diagnosis": "Hypertension",
[BAD]         "medication": "Lisinopril 10mg"
[BAD]       }
[BAD]     ]
[BAD]
[BAD] ⚠️  Anyone with device access can read this data!

3. SQLite Databases

Databases feel more “serious” than JSON or SharedPreferences.

But without encryption, they’re just as vulnerable.

// ❌ INSECURE: Unencrypted SQLite database
import 'package:sqflite/sqflite.dart';
import 'package:path/path.dart';

class InsecureDatabase {
  Database? _database;

  Future<Database> get database async {
    if (_database != null) return _database!;

    final dbPath = await getDatabasesPath();
    _database = await openDatabase(
      join(dbPath, 'user_data.db'), // Plain, unencrypted!
      version: 1,
      onCreate: (db, version) async {
        await db.execute('''
          CREATE TABLE users (
            id INTEGER PRIMARY KEY,
            username TEXT,
            password_hash TEXT,  -- Still sensitive!
            ssn TEXT,            -- DANGER: Plaintext SSN
            credit_score INTEGER,
            bank_account TEXT
          )
        ''');
      },
    );
    return _database!;
  }
}

The database file at /data/data/com.example.app/databases/user_data.db can be extracted and opened with any SQLite viewer.

Example output (what an attacker dumps):

[BAD] Unencrypted SQLite database:
[BAD]   Path: /data/data/<pkg>/databases/user_data.db
[BAD]
[BAD]   CREATE TABLE users (
[BAD]     id INTEGER PRIMARY KEY,
[BAD]     username TEXT,
[BAD]     password_hash TEXT,   -- still sensitive!
[BAD]     ssn TEXT,             -- DANGER: Plaintext SSN
[BAD]     credit_score INTEGER,
[BAD]     bank_account TEXT
[BAD]   );
[BAD]
[BAD]   Example row an attacker extracts:
[BAD]   | john_doe | $2b$10$Kx... | 123-45-6789 | 750 | 9876543210 |
[BAD]
[BAD] ⚠️  Database file readable with: sqlite3 user_data.db ".dump"

4. Application Logs

Debug logging that felt harmless during development can persist in production builds.

It can leak sensitive information.

// ❌ INSECURE: Logging sensitive data
import 'dart:convert';
import 'dart:developer';

class AuthService {
  Future<void> login(String email, String password) async {
    // DANGER: Credentials in logs!
    print('Login attempt: email=$email, password=$password');

    try {
      final response = await _apiClient.post('/auth/login', {
        'email': email,
        'password': password,
      });

      // DANGER: Token in logs!
      print('Login successful! Token: ${response.token}');
      log('User data: ${jsonEncode(response.user)}');
    } catch (e) {
      // DANGER: Error might contain sensitive data
      print('Login failed: $e');
    }
  }
}

Example console output (credentials visible to anyone with ADB — Android Debug Bridge):

[BAD] Login attempt: [email protected], password=s3cretP@ss!
[BAD] Got token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkw.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
[BAD] API Key: sk-live-abc123xyz789
[BAD] User data: {email: [email protected], ssn: 123-45-6789, password: secret123}

Platform-Specific Secure Storage

So what should you use instead?

Both Android and iOS provide solid secure storage mechanisms. The key is knowing how to use them properly from Flutter.

Android: The Keystore System

Android’s Keystore system is the gold standard for secure storage.

It provides hardware-backed cryptographic key storage. Encryption keys never leave a secure hardware module.

What makes Android Keystore special:

Feature

Description

Hardware Backing

Keys stored in TEE (Trusted Execution Environment) or StrongBox (Pixel, Samsung Knox)

Key Extraction Prevention

Private keys never leave secure hardware

User Authentication

Can require biometrics/PIN before key use

Key Attestation

Verify key properties with signed certificate chain

Usage Restrictions

Limit key to specific algorithms/purposes

When you use flutter_secure_storage on Android, your values are encrypted with keys protected by hardware security.

Even if an attacker extracts the encrypted blob, they can’t decrypt it without access to the secure hardware.

iOS: Keychain Services

iOS uses Keychain Services for key management and secret storage.

You put secrets in. iOS keeps them encrypted with hardware-protected keys.

On devices with a Secure Enclave, cryptographic keys created with kSecAttrTokenIDSecureEnclave never leave that hardware.

General Keychain items are protected by the device’s Data Protection keys. They are not stored inside the Enclave.

One of the most important decisions on iOS is choosing the right accessibility level.

It determines when your data can be accessed and whether it’s included in backups:

Level

Description

Use Case

WhenPasscodeSetThisDeviceOnly

Most restrictive; deleted if passcode removed

Highly sensitive (banking credentials)

WhenUnlockedThisDeviceOnly

Accessible only when unlocked, not backed up

Session tokens, temporary secrets

WhenUnlocked

Accessible when unlocked, backed up

User preferences with sensitive elements

AfterFirstUnlockThisDeviceOnly

Accessible after first unlock, not backed up

Background sync credentials

AfterFirstUnlock

Accessible after first unlock, backed up

Push notification tokens

For most sensitive data, prefer AfterFirstUnlockThisDeviceOnly.

It’s strong protection and still supports background operations.

Implementing Secure Storage in Flutter

Using flutter_secure_storage

flutter_secure_storage is the standard solution for secure storage in Flutter.

It provides a unified API. It uses Android Keystore on Android and iOS Keychain on iOS.

// ✅ SECURE: Using flutter_secure_storage
import 'package:flutter_secure_storage/flutter_secure_storage.dart';

class SecureStorageService {
  late final FlutterSecureStorage _storage;

  SecureStorageService() {
    _storage = const FlutterSecureStorage(
      aOptions: AndroidOptions(
        encryptedSharedPreferences: true,
      ),
      iOptions: IOSOptions(
        accessibility: KeychainAccessibility.passcode,
        synchronizable: false,
      ),
    );
  }

  Future<void> storeAuthToken(String token) async {
    await _storage.write(key: 'auth_token', value: token);
  }

  Future<String?> getAuthToken() async {
    return _storage.read(key: 'auth_token');
  }

  Future<void> clearAll() async {
    await _storage.deleteAll();
  }

  Future<bool> hasKey(String key) async {
    return _storage.containsKey(key: key);
  }
}

Secure Database with SQLCipher

If you need structured storage, plain SQLite isn’t enough.

sqflite_sqlcipher provides transparent encryption using SQLCipher.

Store the database key in secure storage. Don’t hardcode it.

// ✅ SECURE: Encrypted SQLite database
import 'dart:math';
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
import 'package:path/path.dart';
import 'package:sqflite_sqlcipher/sqflite.dart';

class SecureDatabase {
  Database? _database;
  final _secureStorage = const FlutterSecureStorage();
  static const _dbKeyStorageKey = 'database_encryption_key';

  Future<String> _getDatabaseKey() async {
    String? key = await _secureStorage.read(key: _dbKeyStorageKey);

    if (key == null) {
      key = _generateSecureKey(32);
      await _secureStorage.write(key: _dbKeyStorageKey, value: key);
    }

    return key;
  }

  String _generateSecureKey(int length) {
    const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#\$%^&*';
    final random = Random.secure();
    return List.generate(length, (_) => charset[random.nextInt(charset.length)]).join();
  }

  Future<Database> get database async {
    if (_database != null) return _database!;

    final dbPath = await getDatabasesPath();
    final encryptionKey = await _getDatabaseKey();

    _database = await openDatabase(
      join(dbPath, 'secure_user_data.db'),
      version: 1,
      password: encryptionKey,
      onCreate: (db, version) async {
        await db.execute('''
          CREATE TABLE sensitive_data (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            data_type TEXT NOT NULL,
            encrypted_value TEXT NOT NULL,
            created_at INTEGER NOT NULL,
            updated_at INTEGER NOT NULL
          )
        ''');
        await db.execute('CREATE INDEX idx_data_type ON sensitive_data(data_type)');
      },
    );

    return _database!;
  }

  Future<void> close() async {
    await _database?.close();
    _database = null;
  }
}

Secure File Storage

Sometimes you need to store documents, exports, or larger blobs.

Encrypt the file content. Store the encryption key in secure storage.

// ✅ SECURE: Encrypted file storage
import 'dart:convert';
import 'dart:io';
import 'dart:math';
import 'dart:typed_data';
import 'package:encrypt/encrypt.dart' as encrypt;
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
import 'package:path_provider/path_provider.dart';

class SecureFileStorage {
  final _secureStorage = const FlutterSecureStorage();
  static const _fileKeyStorageKey = 'file_encryption_key';

  Future<encrypt.Key> _getEncryptionKey() async {
    String? keyBase64 = await _secureStorage.read(key: _fileKeyStorageKey);

    if (keyBase64 == null) {
      final key = encrypt.Key.fromSecureRandom(32);
      keyBase64 = key.base64;
      await _secureStorage.write(key: _fileKeyStorageKey, value: keyBase64);
      return key;
    }

    return encrypt.Key.fromBase64(keyBase64);
  }

  Future<void> saveEncryptedFile(String filename, String data) async {
    final key = await _getEncryptionKey();
    final iv = encrypt.IV.fromSecureRandom(16);

    final encrypter = encrypt.Encrypter(
      encrypt.AES(key, mode: encrypt.AESMode.gcm),
    );

    final encrypted = encrypter.encrypt(data, iv: iv);

    final combined = {
      'iv': iv.base64,
      'data': encrypted.base64,
    };

    final directory = await getApplicationDocumentsDirectory();
    final file = File('${directory.path}/$filename.enc');
    await file.writeAsString(jsonEncode(combined));
  }

  Future<String?> readEncryptedFile(String filename) async {
    try {
      final directory = await getApplicationDocumentsDirectory();
      final file = File('${directory.path}/$filename.enc');

      if (!await file.exists()) return null;

      final content = await file.readAsString();
      final combined = jsonDecode(content) as Map<String, dynamic>;

      final key = await _getEncryptionKey();
      final iv = encrypt.IV.fromBase64(combined['iv'] as String);
      final encrypter = encrypt.Encrypter(
        encrypt.AES(key, mode: encrypt.AESMode.gcm),
      );

      return encrypter.decrypt64(combined['data'] as String, iv: iv);
    } catch (_) {
      // Decryption failed: tampered data, wrong key, or corrupted file.
      // Avoid logging the error — it may contain ciphertext fragments.
      return null;
    }
  }

  Future<void> secureDelete(String filename) async {
    final directory = await getApplicationDocumentsDirectory();
    final file = File('${directory.path}/$filename.enc');

    if (await file.exists()) {
      final length = await file.length();
      final random = Random.secure();
      final randomData = List.generate(length, (_) => random.nextInt(256));
      await file.writeAsBytes(Uint8List.fromList(randomData));
      await file.delete();
    }
  }
}

Three things in this implementation are worth calling out:

Unique IV per encryption. Generate a fresh IV for every file. Never reuse an IV with the same key in AES-GCM.
AES-GCM mode. AES-GCM gives confidentiality and authenticity. Tampering makes decryption fail.
Secure deletion. Overwriting helps, but it is not a perfect guarantee on flash storage.

Caveat — flash storage and wear leveling: modern mobile devices use NAND flash with wear-leveling controllers. Overwriting a file does not guarantee the original physical blocks are erased.

For the strongest guarantees, rely on full-disk encryption (default on Android 10+ and all iOS devices).

Secure Storage Architecture

In a real app, you want one place where storage decisions live.

Your UI and repository layers should not touch encryption keys or platform storage APIs directly.

That concern belongs in a dedicated security layer:

Preventing Data Leakage

Secure storage protects data at rest. Sensitive information still leaks through side channels.

I’ve seen real incidents from debug logs in support tickets, screenshots in the OS app switcher, and clipboard contents harvested by other apps.

1. Secure Logging

A print() call that felt harmless can end up in support logs, ADB output, and crash reports.

Here’s a logger that makes it harder to leak secrets by accident:

// ✅ SECURE: Safe logging that strips sensitive data
import 'dart:developer' as developer;
import 'package:flutter/foundation.dart';

class SecureLogger {
  static final Set<String> _sensitiveKeys = {
    'password',
    'token',
    'secret',
    'key',
    'authorization',
    'credit_card',
    'ssn',
    'pin',
    'cvv',
  };

  static void log(String message, {Object? data}) {
    if (kReleaseMode) return;

    final sanitizedMessage = _sanitize(message);
    final sanitizedData = data != null ? _sanitizeObject(data) : null;

    developer.log(
      sanitizedMessage,
      name: 'APP',
      error: sanitizedData,
    );
  }

  static String _sanitize(String input) {
    var result = input;

    result = result.replaceAll(
      RegExp(r'eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*'),
      '[REDACTED_JWT]',
    );

    result = result.replaceAll(
      RegExp(r'\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b'),
      '[REDACTED_CARD]',
    );

    result = result.replaceAll(
      RegExp(r'\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b'),
      '[REDACTED_SSN]',
    );

    result = result.replaceAll(
      RegExp(r'password["\s:=]+[^\s,}"]+', caseSensitive: false),
      'password=[REDACTED]',
    );

    return result;
  }

  static Object? _sanitizeObject(Object obj) {
    if (obj is Map) {
      return obj.map((key, value) {
        final keyLower = key.toString().toLowerCase();
        if (_sensitiveKeys.any((k) => keyLower.contains(k))) {
          return MapEntry(key, '[REDACTED]');
        }
        return MapEntry(key, _sanitizeObject(value));
      });
    }
    if (obj is List) {
      return obj.map(_sanitizeObject).toList();
    }
    if (obj is String) {
      return _sanitize(obj);
    }
    return obj;
  }
}

2. Clipboard Security

Copied secrets sit in the system clipboard. Any app can read them.

Auto-clear the clipboard after a short period:

// ✅ SECURE: Auto-clear clipboard for sensitive data
import 'dart:async';
import 'package:flutter/services.dart';

class SecureClipboard {
  static Timer? _clearTimer;

  static Future<void> copySecure(
    String data, {
    Duration clearAfter = const Duration(seconds: 30),
  }) async {
    await Clipboard.setData(ClipboardData(text: data));

    _clearTimer?.cancel();
    _clearTimer = Timer(clearAfter, () async {
      await Clipboard.setData(const ClipboardData(text: ''));
    });
  }

  static Future<void> clear() async {
    _clearTimer?.cancel();
    await Clipboard.setData(const ClipboardData(text: ''));
  }
}

3. Screenshot Protection

For banking, health, and legal apps, you should prevent screenshots on sensitive screens.

// ✅ SECURE: Prevent screenshots of sensitive screens
import 'package:flutter/services.dart';

class ScreenshotProtection {
  static const _channel = MethodChannel('com.example.app/security');

  static Future<void> enable() async {
    await _channel.invokeMethod('enableScreenshotProtection');
  }

  static Future<void> disable() async {
    await _channel.invokeMethod('disableScreenshotProtection');
  }
}

Android implementation (MainActivity.kt):

import android.view.WindowManager
import io.flutter.embedding.android.FlutterActivity
import io.flutter.embedding.engine.FlutterEngine
import io.flutter.plugin.common.MethodChannel

class MainActivity: FlutterActivity() {
    private val CHANNEL = "com.example.app/security"

    override fun configureFlutterEngine(flutterEngine: FlutterEngine) {
        super.configureFlutterEngine(flutterEngine)

        MethodChannel(flutterEngine.dartExecutor.binaryMessenger, CHANNEL).setMethodCallHandler { call, result ->
            when (call.method) {
                "enableScreenshotProtection" -> {
                    window.setFlags(
                        WindowManager.LayoutParams.FLAG_SECURE,
                        WindowManager.LayoutParams.FLAG_SECURE
                    )
                    result.success(null)
                }
                "disableScreenshotProtection" -> {
                    window.clearFlags(WindowManager.LayoutParams.FLAG_SECURE)
                    result.success(null)
                }
                else -> result.notImplemented()
            }
        }
    }
}

iOS implementation (AppDelegate.swift):

import UIKit
import Flutter

@UIApplicationMain
@objc class AppDelegate: FlutterAppDelegate {
    private var securityView: UIView?

    override func application(
        _ application: UIApplication,
        didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?
    ) -> Bool {
        let controller = window?.rootViewController as! FlutterViewController
        let channel = FlutterMethodChannel(
            name: "com.example.app/security",
            binaryMessenger: controller.binaryMessenger
        )

        channel.setMethodCallHandler { [weak self] (call, result) in
            switch call.method {
            case "enableScreenshotProtection":
                self?.enableScreenshotProtection()
                result(nil)
            case "disableScreenshotProtection":
                self?.disableScreenshotProtection()
                result(nil)
            default:
                result(FlutterMethodNotImplemented)
            }
        }

        GeneratedPluginRegistrant.register(with: self)
        return super.application(application, didFinishLaunchingWithOptions: launchOptions)
    }

    private func enableScreenshotProtection() {
        NotificationCenter.default.addObserver(
            self,
            selector: #selector(hideContent),
            name: UIApplication.willResignActiveNotification,
            object: nil
        )
        NotificationCenter.default.addObserver(
            self,
            selector: #selector(showContent),
            name: UIApplication.didBecomeActiveNotification,
            object: nil
        )
    }

    private func disableScreenshotProtection() {
        NotificationCenter.default.removeObserver(
            self,
            name: UIApplication.willResignActiveNotification,
            object: nil
        )
        NotificationCenter.default.removeObserver(
            self,
            name: UIApplication.didBecomeActiveNotification,
            object: nil
        )
        showContent()
    }

    @objc private func hideContent() {
        securityView = UIView(frame: window?.bounds ?? .zero)
        securityView?.backgroundColor = .white
        window?.addSubview(securityView!)
    }

    @objc private func showContent() {
        securityView?.removeFromSuperview()
        securityView = nil
    }
}

Security Checklist

Use this right before release. It takes ~20 minutes.

Encryption

All sensitive data encrypted at rest.
Platform secure storage used (Keychain/Keystore).
Encryption keys stored securely (never hardcoded).
Strong algorithms used (for example, AES-256-GCM).

Access control

Biometric protection for critical data.
Sensitive data cleared on failed authentication attempts.
Session data expires.

Backup security

Sensitive data excluded from cloud backups.
Device-only storage for critical secrets.

Logging

No sensitive data in logs.
Production logging minimized.

Root/Jailbreak

Detection implemented.
Appropriate response to compromised devices.

Conclusion

Data storage security isn’t optional. It’s a fundamental responsibility.

Flutter gives us access to solid platform-level security through packages like flutter_secure_storage.

If you use Keystore and Keychain correctly, extracting secrets becomes dramatically harder.

Resources

PreviousDrafts NextOWASP Top 10 For Flutter – M9: Insecure Data Storage in Flutter & Dart (cleaned copy)

Last updated 5 days ago

Was this helpful?

hashtagUnderstanding the Threat Landscape

hashtagWho’s After Your Data?

hashtagHow Attackers Get Your Data

hashtagWhat Makes Flutter Apps Vulnerable?

hashtagFlutter Storage Mechanisms: A Security Deep Dive

hashtag1. SharedPreferences / NSUserDefaults

hashtag2. Local File Storage

hashtag3. SQLite Databases

hashtag4. Application Logs

hashtagPlatform-Specific Secure Storage

hashtagAndroid: The Keystore System

hashtagiOS: Keychain Services

hashtagImplementing Secure Storage in Flutter

hashtagUsing flutter_secure_storage

hashtagSecure Database with SQLCipher

hashtagSecure File Storage

hashtagSecure Storage Architecture

hashtagPreventing Data Leakage

hashtag1. Secure Logging

hashtag2. Clipboard Security

hashtag3. Screenshot Protection

hashtagSecurity Checklist

hashtagEncryption

hashtagAccess control

hashtagBackup security

hashtagLogging

hashtagRoot/Jailbreak

hashtagConclusion

hashtagResources