You're Flutter App Is Insecure Do This! - Improve Flutter Application Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video I'm going to be sharing with you guys some dos and tones when it comes to securing your flutter applications and primarily we're going to be talking about four things I'm going to be talking with you guys how you can secure your API Keys within your flutter codebase then we're going to be taking a look at how you can encrypt the actual data that you store for a user on their device so that if somehow somebody gets access to their device that data is encrypted we're also going to be taking a look at how your flutter application can determine if it's been installed on a device that's been jailbroken rooted and then stop functioning and we're going to be taking a look at how you can obfuscate your source code so that it becomes difficult for end users to reverse engineer it and potentially see what your application is actually doing so to get started let's talk about unsecure API Keys first so this is a big beginner mistake that a lot of people make where they'll just hard code their API Keys into the source code and then check it into a git repo this is a big no no you should never do that what you should try to do is Implement some kind of a system of using environment variables and then read those environment variables within your source code to determine what the values of your API keys are so a rookie mistake for somebody that's doing coding in Dart would be to basically have this kind of a code and what I'm going to be doing is actually showing Dart PAD as an example where they have this function Main and then they hardcode the string API key into it and now this gets checked into a git repo and now everybody in the world knows what your actual API key are even if your GitHub repo is private it's still widely fible across all of your organization or everybody who has access to that g rep and if it gets hacked then you're in a big trouble so always keep your API key secure so how can we go about fixing this well a good way of fixing this would be to utilize some kind of a package that allows us to load environment variables from the environment that we Define on our system and then basically reference it within our source code a package that I use a lot on a regular basis for all of the flutter projects that I built is called flutter. n and what this package basically does is that it allows you to create a file within the source code of your flutter application and then Define all of your environment variables there and then once you've done that then what you can do is actually use the N package to actually load from that environment file all of the environment variables and their corresponding values and then what you can do is that for that EnV file you can create a do get ignore file and basically ignore thatv file from actually being committed to your git repo and this way you're keeping your API key secure they're not leaving your local computer and nobody on the git repo actually has access to them and if somebody needs access to your API Keys then you can give it to them by just telling them what those API keys are or on an Enterprise level there are actually softwares that are used to hold all of these secrets and then share these secrets amongst the organization but the general principle when it comes to securing API Keys is that you should never include API Keys within your source code you should always choose some kind of a mechanism of having these API Keys stored in a file that does not get committed and then Implement some kind of a functionality within your source code that reads from that environment file or whatever file that is all of the API keys that you need by the way if you guys are interested in learning more about securing API keys in flutter such as how you can do it for IOS and Android when you need to put API Keys within let's just say the Android manifest file or an iOS for the info. pist file then just leave a comment down below letting me know that you might be interested in a video like that and then I'll make a much more detailed video that goes into a lot more detail when it comes to securing your API keys for your flutter application so the next thing that we're going to be talking about is how we can encrypt the information that our user generates from our application onto their device so that it has to be decrypted in order to be useful and what are the reasons you might want to do this well let's just take the classic example that your user authenticates into your application using a password and an email and when it sends this request to the server the server returns to them a JWT for those of you that know what a JWT is good for you but a quick intro to this would be that a JWT token or a Json web token is a way for a user to tell a server or a backend what their identity is so you can imagine that you take this JWT and you save it on the user's device so that every time the users open your app they don't have to log in again and again you just use the WT that they had already gotten before when they had actually logged in so now if somebody hacks into the device somebody gets access to the device or something else happened and somehow they get access to the JWT then they can perform operations on behalf of the user for whatever functionality that your app supports and this is a big no no or maybe there's another use case where you store some sensitive information about the user on the device let's just say it's medical history maybe your server and your databases and how you store hims might be hippoc compliant but but your app is also storing this information on the user's device and the basic thing that then you might want to do is to actually encrypt this information and make it more difficult to decrypt so how can you do this well there are a couple of ways of doing this I'm going to be sharing some packages with you that allow you to do this so firstly I'm going to be sharing a package with you that I use a lot and it's called Hive it's a blazing fast no SQL database that you can use within your flutter applications to store data on the user's device and this package has strong encryption built in so if you use this package then when you actually create a box which in Hive terminology you can think of as a table or a box in which you put data you can actually give it a key which can be used to encrypt or decrypt your actual data from that box ensuring that the data Integrity remains intact and that your application isn't compromised but let's just say that for some reason you do not need a complicated solution like Hive because maybe you're storing just two or three bits of information about the user on the device and everything else has persisted on the server well in that case maybe Hive might not be a good recommendation for you so what you can do is actually take a look at a package called flutter Secure Storage which as the name suggests allows you to securely store information that's generated within your application on the user's device so now that we've taken a look at how we can encrypt the information on the user's device by using either a databased iive or flutter Secure Storage which uses the native implementations of encrypted share preferences or Android and iOS to encrypt the users's information let's talk about another important concept which is going to inevitably come when you're developing flutter applications and that is how to make sure that your applications do not run on devices that are compromised so what do I mean by compromised devices well compromised devices are devices that are either jailbroken in the land of iOS or rooted in the world of Android and sometimes if you're are a novice developer then you might think what's the big deal with running a application on a rooted or a jailbroken device well just because of the nature of these devices being rooted or jailbroken they provide some powers to the end users let's just say that allows them to bypass certain restrictions that are imposed by the operating system or the bootloader or whatever you want to call it on the device one classic example of this would be and I'm not going to be giving you an example of banking applications but a think that a lot of applications do on the IOS and Android App Store and those are inapp purchases you might not know this but you are able to SPO in app purchases on rooted and drill broken devices so if you have your application let's just say a gym application that gives people workout and you have a subscription model implemented within that application somebody can take that application put it onto a jailbroken and rooted device do some kind of tinkering with your application and just because of the nature of the application running on these compromised devices when the actual application tries to make a call for doing an inapp purchase then then what this device can do is actually spoof the inap purchase and make it appear like as if the inap purchase was successful and that the user actually bought the actual inap purchase and now you can see where this is going now the user has access to information that was locked behind the payall without paying for it and this is potentially going to cause your business to lose money there are ways to go about this where for example you can Implement some kind of a server confirmation where the server also confirms that the user indeed has a subscription but I don't want to get into that those are complicated things there are a lot of ways in which you can deal with these problems but I just wanted to tell you so what would be a good way of just determining within your flutter application that hey do not start if for some reason the app is rooted or jailbroken well for that there are packages that the dot Community or flutter Community has already created one of them is flutter root detection which is detecting whether a device has been rooted works for both Android and iOS and then also flutter jailbreak detection which can detect if an actual Android device has been rooted or if an iOS device has been jailbroken so you can use these to your advantage implement this within your application and ensure that your application does install when it's installed on a compromised device and finally the last thing that I want to talk about is how can you make it difficult for people to reverse engineer your applications reverse engineering basically in the simplest of terms mean that somebody takes the executable that we give them or the app that we give them and they try to reverse engineer or extract the source code from it so that they can better understand how our application works internally so what can you actually do to make it difficult for people to reverse engineer or flutter application well one thing you can do is obfuscate your doart code and code obfuscation is the process of modifying an apps binary to make it harder for humans to understand so I'm going to leave a link down in the description of this video to this article where you can actually take a look at what obfuscation actually is how it works in Dart and how you can actually implement it within your application but what you basically do is when you're building your flutter APK or IPA or app bundle then you pass it the obfuscate command line argument as well as an information for splitting the debug info and what this basically does is that it actually obfuscates your flutter application Cod making it difficult for end users to report engineer it one of the ways it does it is by actually hiding function and class names in your compiled Dart code and replacing them with symbols and then with some other symbols ultimate making it more difficult for an attacker to reverse engineer your proprietary application but keep in mind that there are limitations that apply to this technique for example if you store Secrets such as API Keys within your source code then officiation is not going to be a good solution for that you need to implement some kind of another solution like the one I suggested where you can load secrets from an environment file that would be a good way of going about that so with that said that's pretty much it for today's video I hope that you enjoyed what I had to say in today's video if you enjoy with talks like these where I talk more about general principles of software engineering or things that are a bit different from simple plain old tutorials then please do leave a like on the video this kind of gives me a signal if you guys are enjoying these videos or not and as always stay happy stay healthy keep learning keep growing and I'll see you guys in the next video bye-bye

Info

Channel: Hussain Mustafa

Views: 2,264

Rating: undefined out of 5

Keywords: flutter secure api key, flutter secure application, app development, flutter firebase security rules, flutter security, flutter, flutter obfuscation, flutter jailbreak detection, flutter root detection, flutter security best practices, insecure flutter app, flutter tutorial, ios, android, flutter development, encrypt flutter app, secure flutter storage, flutter tips and tricks, best practices flutter

Id: 2V90-4O9QOg

Channel Id: undefined

Length: 11min 36sec (696 seconds)

Published: Wed Nov 15 2023