LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • 🚀A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps 🛡️
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • 🔒 Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube
On this page
  • Should I care about security?
  • But I have heard Flutter apps aren’t susceptible to attacks or what?
  • How does freeRASP for Flutter differ from its native siblings?
  • What was the result?
  • Okay, but how do I use it in my app?
  • Example of security report
  • Summary
  • Useful links

Was this helpful?

  1. articles

Missing Hero of Flutter World

Previous5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s

Last updated 4 months ago

Was this helpful?

Flutter is a beautiful framework for building pretty and natively compiled mobile, web, and desktop applications. Thanks to its simplicity and developer-friendly way of building applications, it’s gaining popularity around the world. However, with great power comes great responsibility. As unlikely as it seems, Flutter applications face the same issues as their native siblings — security attacks.

Should I care about security?

The answer is yes, you should. Security engineering should always be your first step. The moment you take your development more seriously, security becomes your top concern. Whether you develop a simple attendance app or a demanding health, FinTech, or automotive application, you shouldn’t make any concessions in security, especially if you deal with personal data and/or finance transactions.

But I have heard Flutter apps aren’t susceptible to attacks or what?

You could argue that reverse engineering of Flutter apps is not being done very often, and even if it is done, it’s complicated to get something. Your production build is compiled without debugging symbols, and compiled apps are usually harder to crack. Well, that’s true, for now. But first of all, this approach is nothing short of a hide and seek game — you will be caught, and time is playing against you. And second of all, complicated does not mean impossible.

Based on our experience, the following attacks are already possible:

  • App repackaging and cloning

  • Re-publishing of tampered apps

  • Running the App in compromised OS environments (rooted/jailbroken OS, hooking app during runtime, emulators)

  • Overlay and Cloak&Dagger attacks

  • Misuse of Accessibility Services

  • Stealing of hard-coded secrets

A common sign of intrusion on mobile devices is the presence of a root user. A root can do pretty much anything in the system. If we let our Flutter application work normally on a rooted device, we expose it to a possible attack/security breach just because the device’s state is compromised.

Applications need shields and swords to defend themselves — they need RASP (Runtime Application Self-Protection).

In Talsec, we noticed that RASP solutions at that time were not in good condition. We decided to do it our own way. And that’s how freeRASP was born — created to protect Flutter applications conveniently.

How does freeRASP for Flutter differ from its native siblings?

Cross-platform development frameworks, in general, suffer when platform-specific problems need to be solved. Sacrificing security to be able to do cross-platform development is a no-go. We already had experience with both native Android and iOS platform protection. The only question was how to do it for Flutter.

Luckily, in Flutter, you can expose native APIs. If you want to expose native API or implement a platform-specific library, you have to do the implementation for each platform separately. This means you have to understand the specifics of each platform — from low-level coding to system architecture specifics. You have to write a glue code between the native and Flutter side and some API to reuse implementation in other projects. Finally, you have to do tons of testing and verification. In a nutshell — long, cumbersome and exhausting process.

What was the result?

This had many positive effects:

  • made Flutter safer for everyone

  • getting closer with the Flutter community so that we can listen to any opinion and making our product even better

We wanted to make Flutter safer because we saw its potential. The fast world needs fast development — that’s what Flutter does perfectly well. We also want to help Flutter grow so that more people can appreciate its advantages and raise awareness about security between Flutter developers. freeRASP is a real game-changer. The developer gets a nice and tidy plugin, and the user receives a secure application.

Okay, but how do I use it in my app?

Implementation of freeRASP for Flutter is pretty simple. After initial importing, you just set up some initial configuration and callbacks. And that’s it!

From now on, freeRASP has your back covered and makes reports for you, so you have an overview of your application security. Make sure you accept an email confirmation request from the system to be able to receive these reports.

Example of security report

This example presents a mid-sized FinTech app:

Summary

Security is essential, even though we tend to forget about it when it comes to cross-platform applications. freeRASP provides a plugin for Flutter that solves this problem, and it’s easy to use. So what are you waiting for?

Useful links

If you want to know more about freeRASP, don’t forget to bookmark these links:

written by Jaroslav, Flutter developer at Talsec

We decided to overcome this gap for you — we created . Our team did all the work you would typically need to do and shipped it to a pub.dev.

contributing to the Flutter community by adding a , which led to…

You can find freeRASP for Flutter plugin on . There is also a step-by-step guide to help you with implementation. If you like our plugin, don’t forget to give it a like.

— article about freeRASP’s features

— main repository containing all necessary information

— Flutter plugin

About freeRASP in general:

freeRASP for Flutter
plugin to pub.dev
pub.dev
Medium
GitHub repository
pub.dev
https://medium.com/geekculture/freerasp-in-app-protection-sdk-and-app-security-monitoring-service-de12d8e49400
freeRASP — Community-drive In-App Protection and User Safety suite by Talsec
freeRASP loves Flutter
See a full code example here
Check original report example here (warning, big picture ~2.29 MB)