Securing Flutter Apps | OWASP Top 10 for mobile & RASP explained

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] foreign [Music] [Music] application are you taking flutter security very seriously because flutter team does and so do I According to some statistic more than 75 percent of mobile application will fail basic security tests this is quite interesting even though we are developing flutter applications we're still gonna run on Android and iOS and different platforms we need to take her off the security of further applications on different platforms my name is Majid and I am a Google developer expert for flutter and dart and in this session I'm gonna walk you through flutter Securities not only flutter Securities but the top 10 OS security risk let's get into it flutter security strategy is based on five key pillars identify track and prioritize key security Risk by identifying core assets key threads and vulnerabilities detect detect and identify vulnerabilities using techniques and tools like vulnerability and scanning static application security testing protect eliminate Risk by mitigating non-vulnerabilities and protect critical assets against Source threats respond a fine process to report periods and respond to vulnerabilities or attacks and recover build capabilities to contain and recover from an incident with minimal impact in this session I'm going to actually tell you the top 10 security risks for flutter which is probably going to cover the tax protect and respond categories let's get into these top 10. so let me introduce you to all Vass the open web application security project or ovas is an international non-profit organization dedicated to web and mobile application security the overs the ovas top 10 mobile is a regularly updated reports outlining security concerns for mobile applications security focusing on the top most critical risk in fact if you're looking at ovas website you will see OS top 10 security risk for web which is also can be applied for flutter applications or mobile applications it's not like we're going to get rid of them or we're not going to cover them we're not going to talk about them in this session we're going to focus on the mobile part of the security because this is the most used use cases for flutter applications but maybe in another session or video I will come back to you with the top 10 web security risk let's focus on the top 10 security risk for mobile applications this is based on the latest report by ovas organization improper platform usage the first item among OS top 10 is improper platform usage platforms such as iOS Android or Windows Phone provides different capabilities and features that you can use if the app does not use an existing function or even use it incorrectly this is called improper use let me give you some examples misuse of iOS Touch ID features incorrect use of iOS keychain or requesting excessive or wrong platform permissions there are different solutions that you may use to protect your application from improper platform usage for example what if you restrict the file access permissions but if you use some of the best practices and guidelines in order to adhere to the platform development use cases in flutter you can do several things to make sure that you are mitigating this issue first of all stay up to date the latest flutter is stable try to make sure that you update your libraries and flutter applications try to make sure you're following the guidelines for publishing an application properly or regularly checking security guidelines by filter team you always can find them on docs.flutter.dev security another thing that you can do in flutter is to make sure using any package or plugins that can help you for permission handling always request a permission that is needed in Secure data storage secure data storage as well as an intentional data leaks also fall under the ovas mobile top 10. mobile application penetration testing tools help uncover such problems however it does not necessarily have to be your skill database it could be manifests or like files cookie storage or Cloud synchronization can also be affected let me give you a couple of examples when you're storing sensitive data unencrypted in a storage or you storing sensitive data in shared preferences there are a couple of solutions to fix this in different mobile applications development for example encrypting effectively obfuscation or protection against buffer flow and so on or avoid storing sensitive data to a storage that can be so visible I mean when we are talking about sensitive data we're talking about username passwords authentication tokens and maybe personal informations that should not be part of an unencrypted storage in fact in flutter there are a couple of ways that you can mitigate these problems you may use packages that are heavily using platforms native way of handling this kind of encryption for storing data for example flutter's Secure Storage is one of those plugins that you may want to take a look Hive is another package that is blazingly fast and you can use it as a key value database in your application which is using a very strong encryption AES 256. one of the common issues that I have seen is in fact not protecting snapshots or background snapshots well you may ask when should I do that I mean not for many application is necessary but if you're doing an application that provides or a page that provides a sensitive data when it goes to the background so maybe you should secure your background snapshots you may take a look at the packages such as secure applications in order to secure your background and snapshots insecure communication your app transports data from point A to point B if this transport is insecure the risk increases the biggest problem is the transfer of sensitive data from one device to another well let's take a look at some examples here when you don't use and encrypted data Trans in transit for example not using a proper SSL or not using a proper CI certificate or sending sensitive data such as password via clear text to another point which is going to be intercepted somewhere in the in the network one of the solutions that you perhaps can do in flutter is using packages for HTTP certificate pinning a scientific opinion allows Mobile's applications to restrict communication only to serves with a valid certificate matchings the expected value or pin the connection is Trend terminated immediately if communication is attempted with any server that doesn't match these expected value you can start doing that in flutter by using HTTP certificate pinning you should do it properly otherwise it may even bring more security risk to your applications here is an example that you can take a look at the video and see how it works this is extracted from the certificate pinning package another thing that is even the unencrypted communication or this problem is not necessarily A mobile developer problem still you need to communicate that very well with your team and with anyone who is responsible to making these connections very secure in Secure Authentication here are many different ways that an app can provide in Secure Authentication let me give you a classic example a classical example is a back-end API service request that the mobile executed anonymously without relaying on an access token additionally there are still apps that stores password locally in clear text there are a couple of other examples that I can provide you to give you a better understanding like for example only relying on client-side authentication or relying on a local authentication which may be tampered there are different solutions to definitely fix this for example avoid local authentications method only relay on server communication to validate these authentications you may even Implement multi-factor authentication MFA or disallow using all four digit pins as password where it's visible on top of server client authentications that you usually do in your application you can also add a strong authentications for locally validating your user for example adding Biometrics local auth is a package that may help you to achieve this but do not forget that you always need to make sure that these authentication is also valid by communicating with your server insufficient cryptography the insecure use of cryptography can be observed in most applications well this is almost always one of two problems a fundamentally flawed process behind the encryption mechanism or the implementation of a weak algorithms there are different solutions to mitigate this problem so when you are going to use any type of black algorithms you need to make sure that they are still valid and if they are depreciated due to some security Risk please do not use them here's some of the examples md5 shell 1 or md4 so you need to be careful for what reason you're going to use these encryptions instead use encryptions that are fully secure and valid in the industry so another thing that I want to point out here in this section is secure your developer identity so in flutter usually you are facing with key.jks or you were facing with some key store.properties which they are very sensitive so avoid keeping track of unencrypted sensitive data in your repository make sure you are encrypting all of these sensitive files in your applications you can use gpg for example to secure these files another thing is that take a look at your encryption keys in your application you may be able to encrypt your plain text in your application using packages such as encrypt or crypto which they provide some strong algorithms to encrypt your plain text take a look at this and make sure you are encrypting your data properly in your flutter application insecure authorization unlike authentication authorization deals with verification of an identified person it means what this person can do so failing to verify a user and Grant a permission is a big security problem in mobile applications another example of this problem could be only relying on client-side authorization which can be tampered the solution could be always verifying your request with backend or make sure you're validating the roles and permission with a trusted server poor client code quality all vulnerabilities from code level errors can provide attackers with a way inside the main risk lies in the need to make localized changes to the code in particular insecure API usage or insecure language constructs are common problems that you need to fix directly at the code level especially when you are integrating with a third-party libraries without checking code qualities you need to be very careful about this there are different solutions to this like enforcing the good quality practices remove what is not needed perform a static code analysis for example use automated tools to test memory licks code tampering or code manipulation from a technical perspective any code on a mobile device is vulnerable to tampering this is just because the mobile code is running in a foreign environment it is no longer under the control of your organization therefore there are numerous way to modify it at all there are definitely a couple of solutions here in flutter applications that you may need to take a look at that but one interesting things that I need to mention here is this is a very serious problem especially when a routine attack or a jailbreaking is happening so in flutter applications you may use packages such as flutter J breaks detections to detect these kind of problem reverse engineering attackers who want to understand how your application works can use reverse engineering to access all the information they need especially metadata is a high risk basically if you can clearly understand the string table of the binary or cross-functional analysis is possible the app is considered at high risk the obfuscated code for example using the tools such as Ida Pro or Hopper it's possible so the solution here is that you need to always make sure that as push as possible protect your application to be decompiled in secure and make sure that a robust obfuscation including metadata is added using binary packages to prevent attackers from the compiling code or block debugging tools as in especially in production you know environment so in flutter you get part of the solutions at least for free out of the box for example for obfuscation for an APK application in this command line if you just pass dash dash up first gate you will get your obfuscated application or code you build binaries so while flutter takes care of your binary build out of the box you can read about it on the documentation extraneous functionality hidden vector functionalities or internal security controls are a common problem in mobile applications the problem with them is that they're not only useful for developers but also for hackers this allows them for example to disable two-factor authentication or change basic functionalities well here is the things a developer may accidentally include a password as a comment in hybrid replications or disabling key factor authentication during testing and never and actually deploy that to production mistakenly or having a function as a back door for doing something on your application the solution here is that you always need to examine the app's configuration settings to discover any hidden switches or verify that all test codes is not included in the final production build of application make sure you're also deleting unwanted and unnecessary comments or functions that are opening these doors to attackers you also need to examine all log statements to ensure nothing is descriptive about the backend that is being written in the logs but you may ask now a question is that possible to mitigate some of this problem like on the Fly not just aesthetically but dynamically analyze these problems the answer to this could be rasp runtime applications self-protection or rasp is a security solution designed to provide personalized protection to Applications it takes advantages of insights into an application's internal data and Stage to enable it to identify threats at runtime that may have otherwise been overlooked but either Security Solutions in fact there are five different types of attacking that rasp can shine over there for example hooking rooting or debugger or using application in emulator environment fingerprints tampering is also another problem that Ras can work pretty well for these kind of attack can you use that in your flutter applications well the answer is there are different attempts to create flutter packages for flutter well there are different attempts to create rad packages for flutter one of the best out there which I tested and I recommend to take a look at that at least is free Ras package is using this package is pretty straightforward you will get Android callback class which provides different properties to listen to different attacks and gives you a callback to do whatever you want post on Android and iOS stay with me in this Channel and I'd like to see you in the next videos [Music]
Info
Channel: Majid Hajian
Views: 13,798
Rating: undefined out of 5
Keywords: Flutter, security, Flutter security, mobile security, mobile security app, app development, flutter app development, flutter tutorial, owasp mobile top 10, flutter developers, app development process, app development tutorial, owasp top 10, owasp top 10 explained with examples, owasp top 10 2022, mobile flutter, mobile flutter developer, flutter security best practices
Id: DYwn4KciL1U
Channel Id: undefined
Length: 21min 29sec (1289 seconds)
Published: Wed Jan 25 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.