Missing Hero of Flutter World

Flutter is a beautiful framework for building pretty and natively compiled mobile, web, and desktop applications. Thanks to its simplicity and developer-friendly way of building applications, it’s gaining popularity around the world. However, with great power comes great responsibility. As unlikely as it seems, Flutter applications face the same issues as their native siblings — security attacks.

Should I care about security?

The answer is yes, you should. Security engineering should always be your first step. The moment you take your development more seriously, security becomes your top concern. Whether you develop a simple attendance app or a demanding health, FinTech, or automotive application, you shouldn’t make any concessions in security, especially if you deal with personal data and/or finance transactions.

But I have heard Flutter apps aren’t susceptible to attacks or what?

You could argue that reverse engineering of Flutter apps is not being done very often, and even if it is done, it’s complicated to get something. Your production build is compiled without debugging symbols, and compiled apps are usually harder to crack. Well, that’s true, for now. But first of all, this approach is nothing short of a hide and seek game — you will be caught, and time is playing against you. And second of all, complicated does not mean impossible.

Based on our experience, the following attacks are already possible:

• App repackaging and cloning

• Re-publishing of tampered apps

• Running the App in compromised OS environments (rooted/jailbroken OS, hooking app during runtime, emulators)

• Overlay and Cloak&Dagger attacks

• Misuse of Accessibility Services

• Stealing of hard-coded secrets

A common sign of intrusion on mobile devices is the presence of a root user. A root can do pretty much anything in the system. If we let our Flutter application work normally on a rooted device, we expose it to a possible attack/security breach just because the device’s state is compromised.

Applications need shields and swords to defend themselves — they need RASP (Runtime Application Self-Protection).

In Talsec, we noticed that RASP solutions at that time were not in good condition. We decided to do it our own way. And that’s how freeRASP was born — created to protect Flutter applications conveniently.

How does freeRASP for Flutter differ from its native siblings?

Cross-platform development frameworks, in general, suffer when platform-specific problems need to be solved. Sacrificing security to be able to do cross-platform development is a no-go. We already had experience with both native Android and iOS platform protection. The only question was how to do it for Flutter.

Luckily, in Flutter, you can expose native APIs. If you want to expose native API or implement a platform-specific library, you have to do the implementation for each platform separately. This means you have to understand the specifics of each platform — from low-level coding to system architecture specifics. You have to write a glue code between the native and Flutter side and some API to reuse implementation in other projects. Finally, you have to do tons of testing and verification. In a nutshell — long, cumbersome and exhausting process.

What was the result?

This had many positive effects:

• made Flutter safer for everyone

• getting closer with the Flutter community so that we can listen to any opinion and making our product even better

We wanted to make Flutter safer because we saw its potential. The fast world needs fast development — that’s what Flutter does perfectly well. We also want to help Flutter grow so that more people can appreciate its advantages and raise awareness about security between Flutter developers. freeRASP is a real game-changer. The developer gets a nice and tidy plugin, and the user receives a secure application.

Okay, but how do I use it in my app?

Implementation of freeRASP for Flutter is pretty simple. After initial importing, you just set up some initial configuration and callbacks. And that’s it!

From now on, freeRASP has your back covered and makes reports for you, so you have an overview of your application security. Make sure you accept an email confirmation request from the system to be able to receive these reports.

Example of security report

This example presents a mid-sized FinTech app:

Summary

Security is essential, even though we tend to forget about it when it comes to cross-platform applications. freeRASP provides a plugin for Flutter that solves this problem, and it’s easy to use. So what are you waiting for?

Useful links

If you want to know more about freeRASP, don’t forget to bookmark these links:

written by Jaroslav, Flutter developer at Talsec