Flutter CTO Report 2024: Flutter App Security Trends

Flutter has gained significant traction within FinTech, underscoring the crucial need for robust security measures. The platform’s popularity attracts attention from both app developers and cybercriminals. Flutter’s strong security posture, evidenced by fewer reported vulnerabilities and CVEs, makes it a solid choice for developing sensitive apps.

Flutter Built-in Security

Flutter is more resilient to decompilation than native apps. Its binary packaging offers better protection of code and hardcoded data, although the number of Flutter-specific reverse engineering tools is increasing rapidly, continually broadening the potential threat landscape (e.g., reFlutter, flutter-spy, blutter).

Common Vulnerabilities

Despite its advantages, Flutter apps are not immune to common vulnerabilities:

• Privileged Access Issues: Rooting and jailbreak concerns remain prevalent.

• Dynamic Attacks: Techniques such as hooking frameworks (e.g., Frida, Xposed) pose significant risks.

• App Cloning and Repackaging: Unauthorized duplication of apps is a persistent threat.

• TLS Pinning Bypass: Critical for defending against man-in-the-middle attacks.

• Session Hijacking and App Impersonation: Compromise user sessions and mimic legitimate apps.

• Malware: Leveraging app permissions (accessibility misuse, screen sharing, keyloggers, SMS OTP interceptors, etc.) for malicious activities.

Developer Awareness

Flutter developers must stay informed about security threats and evolving attack vectors across all supported platforms. This demands n-depth expertise and continuous learning, making app security a specialized area within software development.

Essential Security Hardening Measures

In the financial sector, regulators mandate the adoption of a range of security techniques, which can be categorized into three primary areas:

1. Runtime Application Self-Protection (RASP): Implement client-side measures to monitor and react to integrity and environment compromises.

2. API Protection: Safeguard against app impersonation using tools like Firebase App Check, attestation services, or API protection SDKs such as AppiCrypt.

3. Anti-Malware: Detects and mitigates risks posed by malicious apps on client devices.

Basic controls can often be implemented using freemium or community-supported tools. However, advanced enterprise-grade protection typically requires custom development or commercial security solutions.

Advances in Mobile Security Tools for Flutter

The proliferation of app-to-API end-to-end protection solutions (such as App Attestation, AppiCrypt, and AppCheck) is effectively countering the escalating threats from mobileoriented API abuse. These threats encompass App impersonation techniques such as botnets, password enumeration scripts, data scraping, promotional abuse, fake registrations, and phishing campaigns.

However, due to Flutter’s compiled nature, Static Application Security Testing (SAST) tools have not yet reached the level of sophistication seen in native applications. This presents a challenge in maintaining security parity with other platforms. Conversely, the advent of Software Bill of Materials (SBOM) analysis has simplified the examination of third-party dependencies, thus enhancing the thoroughness and effectiveness of security assessments.

Overall, while there are still areas needing improvement, the strides made in mobile security tools for Flutter demonstrate significant potential in safeguarding against complex and evolving threats.

Budget Considerations

App issuers should allocate 20% to 25% of development and maintenance budgets to security features. It’s crucial to recognize that due to the dynamic nature of attack vectors and operating system updates, ongoing maintenance costs for security features may be significantly higher than initially estimated.

Conclusion

Proactive security measures are not just beneficial but essential for app protection in today’s dynamic threat environment. Ensuring comprehensive security requires both strategic investment and dedicated expertise.

Written by Sergiy Yakymchuk (CEO at Talsec)