Keynote: 20 Minutes to Banking-Grade Security with Mateusz Wojtczak (LeanCode)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

Mateusz Wojtczak, Head of the Flutter department at LeanCode, delivered a keynote sharing the company's experience and developer-centric perspective on using Flutter in highly regulated and secure environments, such as banking and fintech. LeanCode is a leading software house in the "Flutter bubble" and a member of the Polish Banking Association, involved in building large-scale Flutter apps, including banking and fintech applications.

The Security Concerns Around Cross-Platform

There is prevailing skepticism that cross-platform technology is "implicitly much less trusted" compared to native development. When working with clients, consultants, or performing code audits, LeanCode frequently encounters objections such as, "Flutter is not native, so Flutter is not secure."

This misconception stems from misunderstanding what Flutter actually is. Flutter is an open-source framework for building "beautiful natively compiled multiplatform apps from a single codebase." A Flutter app is not a "glorified web view" or interpreted JavaScript code. Instead, it compiles Dart code into machine code, producing an Android app in Kotlin or an iOS app in Swift.

Key security-relevant features of the Dart language include:

• Compilation: Dart compiles to native machine code, improving performance and making it harder to reverse engineer than bytecode or intermediate language.

• Type Safety and Concurrency: Dart is type-safe, null-safe, and garbage-collected. Its simple concurrency model only allows passing messages across isolates without shared memory, helping developers avoid common vulnerabilities related to shared memory.

• No Reflection: Dart lacks reflection, preventing access to runtime type information and reducing the risk of certain coding mistakes that could lead to vulnerabilities.

Real-World Banking Experience with Flutter

LeanCode began working with Flutter in 2021 on a project for the Polish branch of Crédit Agricole. The bank boldly chose to go "full Flutter" for their new mobile banking app, even though the platform was less mature at the time. The resulting application, now among the top-ranked mobile banking apps in Poland, had to meet strict non-functional requirements, particularly around security.

Experience from this and other banking projects, including one for Virgin Money in the UK, led to several key security observations:

• Code and Runtime Integrity: Dart's Ahead-of-Time (AOT) compilation and obfuscation proved very effective. Penetration testing revealed no issues with code injection or Dart runtime vulnerabilities.

• Networking Stack Security: Flutter uses a separate networking stack from Dart, which initially caused concern for penetration testers. However, teams successfully implemented SSL pinning (domain, root, and intermediate certificates) and public key pinning. The HTTP client API allows developers to easily switch to native HTTP stacks like OkHttp or iOS clients, or use existing core HTTP client libraries from the bank.

• Leveraging Native APIs: Secure Flutter apps depend heavily on native functionality. Plugins such as flutter_secure_storage utilize native key stores, encrypted shared preferences on Android, and the iOS keychain. Biometrics, secure enclave encryption, and third-party SDKs for fraud detection or KYC all rely on the same native APIs as traditional apps. Developers must understand the native implementation behind each package.

• RASP Integration: Multiple Runtime Application Self-Protection (RASP) providers integrated with Flutter. While most RASP features are native, some providers initially flagged false positives. Talsec, however, supports Flutter as a "first-class citizen," offering a RASP solution aligned with Flutter’s security considerations.

The Core Insight: Security Depends on the Code, Not the Technology

Code audits often reveal vulnerabilities unrelated to Flutter itself. Common issues include:

• Insecure Data Storage: Storing sensitive data in public files or unencrypted shared preferences.

• Misuse of Biometrics: Using biometrics only for local authentication without encrypting personal data. This can weaken security if apps store passwords to mimic protection.

• Logging and Credentials: Logging sensitive information or storing passwords insecurely.

Ultimately, security depends on how code is written, not on the technology used. Applications can be secure with JavaScript or web views and insecure with native apps. Every line of code must be evaluated for security, as tests only reveal weaknesses—they do not create security.

Thank you Mateusz and LeanCode team for sharing your experience with Flutter in high-security environments. Your insights demonstrate that cross-platform development can achieve the same level of security as native apps when code is written thoughtfully.