Open Web Application Security Project (OWASP) lists a summary of the top ten security risks in 2016 for mobile apps. We will walk through some of these risks and how to mitigate them in your app.

Authentication

Flutter provides developers with secure and trusted authentication plugins which allow you to integrate sign-in and social features into your app.

To secure your app’s authentication, only use these officially sanctioned plugins instead of handling authentication yourself. For instance, if you need to authenticate with Google, use Google SignIn.

Secure Data Storage

Shared Preference

Flutter provides a plugin for accessing preferences on a device which wraps NSUserDefaults on iOS and SharedPreferences on Android. These methods provide you with persistent storage.

Never use shared preferences to store sensitive data (such as password, PIN and etc.).

In-memory Data Cache

If your app is like most apps, you have an in-memory cache so you don’t have to fetch data from the slow network all the time. One of the core security principles states that you should only keep data that you need. You should think carefully about why you are keeping data around at all times.

Set up a timer to periodically clean out the data cache for entries that have expired.

Flutter also communicates to the app when it is about to enter background mode. You can leverage that information to setup an additional timer to clean up the cache completely after the user presses the home button on either iOS or Android.

Owner Privacy

It’s not rare to lend your phone to someone, for example your friends want to play games on your phone, or someone visiting your house might pick up your phone. You want to make sure your private stuff in your app stays private.

Using Fingerprint / TouchID

Even when there is device level security (such as unlock screen), app level authentication might still be necessary if your app contains sensitive information. App level authentication can provide a secondary layer of protection before presenting the content.

Fingerprint is one of the most convenient and user friendly methods of authenticating users. Even though it is less secure than a password, more users enable it due to its convenience thus elevating the average number of protective measures that sit between your data and a malicious user.

Flutter provides access to TouchID/FP Sensor on iOS and Android respectively via this plugin. If you need app level authentication, please use it.

Securing App Window

When your app is part of task switcher, the content is still shown to the user in a smaller window.

Task Switcher on iOS

It might be necessary to mask this content so that a malicious user cannot glean information from this screenshot even when your app is protected via additional measures such as Touch ID.

Flutter does not provide a plugin for securing the application window because the implementation is highly dependent on native APIs and application lifecycles. Instead, we provide detailed instructions below for each OS.

On Android, this integration will secure against manual screenshots and automatic screenshots from the recent-tasks history for Android 4.0 or later. It also secures against Google Now On Tap or other assistants on Android 6.0 so that when the user brings up the assistant it will not get access to the details of widgets in your UI.

You’ll want the following imports in your main activity class:

import android.view.WindowManager.LayoutParams;

And add the following code to your main activity’s onCreate method:

getWindow().addFlags(LayoutParams.FLAG_SECURE);

That’s it!

On iOS, securing the app window is only possible in iOS7 or later. If all you want is a black snapshot above your app, you’ll want the following code in your App Delegate:

If you want a color other than black in the switcher, you could do this by adding a subview with any background color you’d like or a customized view. You’ll want the following code in your App Delegate:

Plugins and Permissions

All Flutter plugins should come with their required permissions baked into the plugin code. You should never have to add additional permissions to your app unless your app includes native code that you have authored.