How to protect Flutter app from reverse engineering

android ios flutter security cross-platform
5,769

Solution 1

I am trying to develop a payment application using Flutter, is there any way to protect my application API's and Tokens or make app reverse engineering proof.

If you are looking for bulletproof solutions in the sense they are 100% effective in preventing reverse engineering a mobile app binary to extract tokens or secrets from it then I have to tell you that unfortunately, this is not possible to achieve, but you can make it harder... How hard it will depend on the effort and resources you are willing to put in or required by law for your use case.

In the other hand protecting mobile API's from being accessed from others then a genuine instance of your mobile app it is possible to achieve with a very high degree of confidence.

How easy can it be to extract an API key from a Mobile APP?

Reverse engineering a mobile app binary to extract an API token from it is very easy with the plethora of Open-Source tools out there, as I demo in my article How to Extract an API key from a Mobile App with Static Binary Analysis:

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

Alternatively, a Man in the Middle(MitM) attack can be used to extract the same API key, and for this, we also have Open-Source tools, like mitmproxy that I demo in my article Steal that Api Key with a Man in the Middle Attack:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

Defending against Reverse Engineering

Reverse engineering is a huge topic and you can learn more about the techniques used in reverse engineering by reading the markdown file 0x04c-Tampering-and-Reverse-Engineering.md in the Github repo for the OWASP Mobile Security Testing Guide(MSTG).

You cannot make the mobile app 100% reverse engineering proof, but you can have a lot of hardening code techniques to make it more difficult and/or use some runtime self-protection mechanisms, aka RASP:

Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.

RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.

You can read some of the possible anti-reversing defences in the OWASP MSTG repository:

So, these are all approaches that make decisions in the client-side, thus prone to be bypassed by using instrumentation frameworks, like Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

Am I telling you that is worthless to use them? No, by the contrary you should add as many layers of defences as you can afford, just like how castles from the past centuries were doing to protect against the enemy breaching the outer layers of defence.

The Difference Between WHO and WHAT is Accessing the API Server

Before I dive into how you can defend your API server I would like to first clear a misconception that usually I find among developers of any seniority, that is about the difference between who and what is accessing an API server.

I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An API Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

So think about the who as the user your API server will be able to Authenticate and Authorize access to the data and think about the what as the software making that request in behalf of the user.

Lockdown the API server to the Mobile App

So, anything that runs on the client-side and needs some secret to access an API server can be abused in different ways and you can learn more on this series of articles about Mobile API Security Techniques. This articles will teach you how API Keys, User Access Tokens, HMAC and TLS Pinning can be used to protect the API and how they can be bypassed.

To solve the problem of what is accessing your mobile app you need to use one or all the solutions mentioned in the series of articles about Mobile API Security Techniques that I mentioned above and accepted that they can only make unauthorized access to your API server harder to bypass but not impossible.

A better approach can be employed by using a Mobile App Attestation solution that will enable the API server to know with a very high degree of confidence that only responds to requests from a genuine mobile app. I recommend you to read this answer I gave to the question How to secure an API REST for mobile app? that goes in more detail about it.

Do You Want To Go The Extra Mile?

In any response to a security question, I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

Solution 2

Unfortunately, you can't. There is no way to protect a "secret" from reverse engineering if you distribute it to users. The simplest way to think about this is that a dedicated reverse engineer will be able to perfectly emulate any encryption, obfuscation, or other measures that you take. If you don't want a user to have something (such as a secret token, password, key, etc.), don't distribute it to them.

Solution 3

The reverse engineering protection is a gargantuan task since you have to cover both iOS and Android world specifics. Unless you decide to implement your own solution, there are various libraries (freeRASP, flutter_jailbreak_detection) solving this issue also. The downside is that if someone cracks (eg. Frida script, Magisk plugin) the library, all apps which depend on it are vulnerable also. Eg. many reverse engineering toolkits already contain bypass for popular RootBeer library. If you can't create a solution from scratch, you can use any RASP library and add your spices on top of it - RE protection should always contain as many layers as possible.

Disclaimer: I contribute to freeRASP.

Example (using freeRASP):

  // For Android
  androidCallback: AndroidCallback(
      onRootDetected: () => exit(0),
      onEmulatorDetected: () => exit(0),
      onFingerprintDetected: () => exit(0),
      onHookDetected: () => exit(0),
      onTamperDetected: () => exit(0),
  ),

  // For iOS
  IOSCallback: IOScallback(
    onSignatureDetected: () => exit(0),
    onRuntimeManipulationDetected: () => exit(0),
    onJailbreakDetected: () => exit(0),
    onPasscodeChangeDetected: () => exit(0),
    onPasscodeDetected: () => exit(0),
    onSimulatorDetected: () => exit(0),
    onMissingSecureEnclaveDetected: () => exit(0),
  ),

  // Common for both platforms
  onDebuggerDetected: () => exit(0),

Hovewer, attacker can locate (in the native Android/iOS code) underlying checking methods and disable them, both statically and dynamically.

Share:
5,769
Anitesh Reddy
Author by

Anitesh Reddy

Updated on December 25, 2022

Comments

  • Anitesh Reddy
    Anitesh Reddy over 1 year

    I am trying to develop a payment application using Flutter, is there any way to protect my application API's and Tokens or make app reverse engineering proof.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Open specific app's permission setting flutter?
The relevant error-causing widget was Scaffold
Flutter - Memory Investigation
Hive generated file Error - "control-flow-collections" experiment is not enabled - Flutter/Dart
Flutter read all files from asset folder
Reusable components with Flutter
How to create full screen dialog in flutter when I am using root names to Navigate?
fixing the Unicode rendering in flutter
How to show html string in text widget flutter
Error: unable to locate asset entry in pubspec.yaml: "assets/fonts/Lato-Regular.ttf"