LogoLogo
HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website
  • Introduction
  • articles
    • AI Device Risk Summary Demo | Threat Protection | Risk Scoring | Malware Detection | Android & iOS
    • Podcast: iOS Keychain vs Android Keystore
    • Obfuscation of Mobile Apps
    • OWASP Top 10 For Flutter – M6: Inadequate Privacy Controls in Flutter & Dart
    • Simple Root Detection: Implementation and verification
    • OWASP Top 10 For Flutter - M5: Insecure Communication for Flutter and Dart
    • OWASP Top 10 For Flutter – M4: Insufficient Input/Output Validation in Flutter
    • OWASP Top 10 For Flutter – M3: Insecure Authentication and Authorization in Flutter
    • OWASP Top 10 For Flutter – M2: Inadequate Supply Chain Security in Flutter
    • OWASP Top 10 For Flutter - M1: Mastering Credential Security in Flutter
    • Hook, Hack, Defend: Frida’s Impact on Mobile Security & How to Fight Back
    • Emulators in Gaming: Threats and Detections
    • Exclusive Research: Unlocking Reliable Crash Tracking with PLCrashReporter for iOS SDKs
    • 🚀A Developer’s Guide to Implement End-to-End Encryption in Mobile Apps 🛡️
    • How to Block Screenshots, Screen Recording, and Remote Access Tools in Android and iOS Apps
    • Flutter Security 101: Restricting Installs to Protect Your App from Unofficial Sources
    • How to test a RASP? OWASP MAS: RASP Techniques Not Implemented [MASWE-0103]
    • How to implement Secure Storage in Flutter?
    • User Authentication Risks Coverage in Flutter Mobile Apps | TALSEE
    • Fact about the origin of the Talsec name
    • React Native Secure Boilerplate 2024: Ignite with freeRASP
    • Flutter CTO Report 2024: Flutter App Security Trends
    • Mobile API Anti-abuse Protection with AppiCrypt®: A New Play Integrity and DeviceCheck Alternative
    • Hacking and protection of Mobile Apps and backend APIs | 2024 Talsec Threat Modeling Exercise
    • Detect system VPNs with freeRASP
    • Introducing Talsec’s advanced malware protection!
    • Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
    • Enhancing Capacitor App Security with freeRASP: Your Shield Against Threats 🛡️
    • Safeguarding Your Data in React Native: Secure Storage Solutions
    • Secure Storage: What Flutter can do, what Flutter could do
    • 🔒 Flutter Plugin Attack: Mechanics and Prevention
    • Protecting Your API from App Impersonation: Token Hijacking Guide and Mitigation of JWT Theft
    • Build secure apps in React Native
    • How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)
    • How to Hack & Protect Flutter Apps — OWASP MAS and RASP. (Pt. 2/3)
    • How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
    • freeRASP meets Cordova
    • Philosophizing security in a mobile-first world
    • 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s
    • Missing Hero of Flutter World
Powered by GitBook
On this page
  • Secure Storage Insights
  • Current popular solutions
  • What is the issue?
  • What are the benefits?
  • What are the issues?
  • It’s also about you!

Was this helpful?

  1. articles

Secure Storage: What Flutter can do, what Flutter could do

PreviousSafeguarding Your Data in React Native: Secure Storage SolutionsNext🔒 Flutter Plugin Attack: Mechanics and Prevention

Last updated 5 months ago

Was this helpful?

LogoLogo

Company

  • General Terms and Conditions

Stay Connected

  • LinkedIn
  • X
  • YouTube

Recently, Talsec team has dedicated time and effort to explore different options for secure storage on the Flutter platform. While storing data is a straightforward task, ensuring its security requires careful consideration.

This article assumes you are familiar with:

  • How data storage works on native platforms

  • , and how they are used

Secure Storage Insights

RASP (Runtime Application Self Protection) Security technique that actively defends application by real-time controlling the security state of the device, integrity of the OS and App.

Current popular solutions

A quick recap of what is available as of today. If you are familiar with these packages, feel free to skip to the next section.

What is the issue?

Another important consideration is that although hardware-backed keystores may offer greater resilience against key extraction, they still face the same vulnerability as software-backed keystores — they are not immune to runtime attacks. The data (which are encrypted using keys stored in the keystore) can still be accessed using rooted devices, repackaged/tampered apps or by using hooking frameworks at runtime.

So we came to conclusion that protecting data at rest on the device using SW-based security in combination with RASP can be good enough for many cases and even have considerable advantages.

What are the benefits?

By incorporating a software-backed keystore into RASP (Runtime Application Self-Protection) solution, we can simultaneously address two critical aspects:

  1. Reliability Enhanced RASP solution will offer a dependable keystore mechanism that does not rely on secure hardware. This means that even on devices lacking hardware-backed security features, this solution will ensure the integrity and protection of cryptographic keys.

  2. Security As mentioned earlier, the keystore itself is still vulnerable to threats such as root access and runtime hooks. However, a keystore that closely integrates with RASP would have this problem mitigated, as it could determine whether or not to store/retrieve data based on the current security state of the device.

With the integration of a software-backed keystore, enhanced RASP solution provides a comprehensive and reliable approach to data protection, overcoming the limitations posed by both hardware availability and copromised devices.

What are the issues?

This solution is also not perfect as might look. We also have to consider problematic parts:

  1. RASP is not unbeatable While RASP adds an extra layer of security, it’s not an universal solution which will solve problem once for all. It just adds complexity for attacker to deal with. Once RASP is defeated, this solution becomes “plain” SW-backed keystore. It’s also important to note that RASP can’t replace traditional security measures.

  2. HW is more secure As mentioned earlier, HW-backed keystore performs way better when it comes resiliency against data extraction. Also finding and misusing issue in HW is way harder than finding issue in software implementation of SW-backed keystore.

If you choose SW-backed keystore it’s important consider if you take traditional implementation relying on crypthography or you’ll take storage with additional security layer.

It’s also about you!

What do you think? Would you rely on SW-based secure storage SDK for Flutter with hardcoded obscured encryption key?

Share your thoughts and experiences in the comments below! 👇📝

Talsec team has recently been exploring ways to enhance data security on the Flutter platform. After conducting research, we are considering adding a secure storage feature to and solutions. As part of this process, we are analyzing the current state of secure storage options in Flutter and gathering insights from the community regarding their expectations for such a feature.

1️⃣ (Flutter Package) One common choice among Flutter developers for storage is the flutter_secure_storage plugin. This plugin offers key-value storage that leverages the native API of the target platform (SharedPrefferences, Keystore, Keychain,…) and provides a unified API for accessing them. While the data is encrypted, the current implementation of this solution is possibly vulnerable to a padding oracle attack (as mentioned in GitHub issues , ). This vulnerability means an attacker could decipher a message because of incorrect message alignment. However, this attack vector is theoretical and rarely applicable (there are attacks requiring less effort).

2️⃣ (Dart Package) Another popular option in the Flutter community is Hive, which provides a straightforward and user-friendly API for developers. Hive is known for its lightweight nature and fast performance, making it a reliable choice for storage in Flutter applications. Additionally, Hive offers built-in support for data encryption, specifically AES-256 encryption. When using encryption with Hive, it is important to note that you must provide an encryption key. Therefore, exercising caution regarding where you store the key and how you securely handle it is crucial.

3️⃣ (Flutter Package) sqflite is a Flutter package that simplifies the creation and management of local application databases by utilizing the SQLite database engine. With sqflite, developers can easily handle tasks such as storing user preferences, caching data, and managing structured information in their Flutter applications. Additionally, sqflite provides integration with SQLCipher, which guarantees the security of sensitive information. An encrypted database is initialized with a password. It is crucial to handle this password securely and not hardcode it — hardcoded keys are visible in reverse-engineered app.

We realised that while hardware-backed keystores are available on most devices, there are still many devices that lack this feature. Additionally, some devices encounter issues with hardware-backed keystores due to manufacturer-provided software. These keystore implementations either fail to perform their intended function or resort to software-backed solutions anyway.

freeRASP
RASP+
flutter_secure_storage
source #1
source #2
hive
sqflite
(especially on Android)
Android Keystore
Keychain