How to SECURE my FLUTTER Mobile Application? (Flutter App Penetration Testing Result)
Did you upload the release version or the debug version of the apk to check for security?
flutter build --release will generate release version apk
Also, read more here: https://flutter.dev/docs/deployment/android
Admin
Updated on December 05, 2022Comments
-
Admin over 1 year
Where can I get Flutter App security documentation or best practice? I am nearly ready to publish my app. I use online (free version) https://www.ostorlab.co/report/ and check the security of my app.
I have a main question above and some more question in below.
- How to disable debug mode?
- How to disable backup mode?
- How to prevent my google map api key in AndroidManifest or similar?
These are the security issue that I am facing. —————————————————————————————————
High Debug mode enabled Description
The application is compiled with debug mode allowing attackers to attach a debugger to access sensitive data or perform malicious actions.Attacker can debug the application without access to source code and leverage it to perform malicious actions on behalf ot the user, modify the application behavior or access sensitive data like credentials and session cookies.
Recommendation
Disable debug mode by setting the attribute android:debuggeable to false in the application tag.
References • DRD10-J Do not relase apps that are debuggable (CERT Secure Coding)
Ex: AndroidManifest:
<activity android:name="com.apptreesoftware.mapview.MapActivity" android:theme="@7F0C0102"> </activity> <meta-data android:name="com.google.android.maps.v2.API_KEY" android:value=“****************************”></meta-data> <meta-data android:name="com.google.android.gms.version" android:value="@7F080004"></meta-data>————————————————————————————
Potentially Backup mode enabled Description
Android performs by default a full backup of applications including the private files stored on /data partition. The Backup Manager service uploads those data to the user's Google Drive account.
Recommendation
if the application contains sensitive data that you don't want to be restored, you can disable backup mode by setting the attribute android:allowBackup to false in the application tag.
References • Random Musings on the M Developer Preview: the Ugly (Part Two) • DRD22. Do not cache sensitive information
————————————————————————————
Potentially Services declared without permissions Description
service is an application component that can take care of actions to be done in the background, without user interaction. service can also be used to expose functionalities to other applications. This corresponds to calls to Context.bindService() to establish a connection to the service and interact with it. Unprotected services can be invoked by other applications and potentially access sensitive information or perform privileged actions
Recommendation
service can expose several methods to external componenets. It is possible to define arbitrary permissions for each method using the method checkPermission. It is also possible to seperate services and restrict access by enforcing permissions in the manifest's tag.
<permission android:name="co.ostorlab.custom_permission" android:label="custom_permission" android:protectionLevel="dangerous"></permission> <service android:name="co.ostorlab.custom_service" android:permission="co.ostorlab.custom_permission"> <intent-filter> <action android:name="co.ostorlab.ACTION" /> </intent-filter> </service>The service can enforce permissions on individual IPC calls by calling the method checkCallingPermissionbefore executing the implementation of that call.
References • CWE-280: Improper Handling of Insufficient Permissions or Privileges • Security Decisions Via Untrusted Inputs (OWASP Mobile Top 10) • Service (Android Developper Documentation)
Technical details False Positive Services definition in AndroidManifest.xml:
<service android:name="com.mobile.niyazibank.MyFirebaseMessagingService"> <intent-filter> <action android:name="com.google.firebase.MESSAGING_EVENT"> </action> </intent-filter> </service> <service android:name="com.mobile.niyazibank.MyFirebaseInstanceIDService"> <intent-filter> <action android:name="com.google.firebase.INSTANCE_ID_EVENT"> </action> </intent-filter> </service> <service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseInstanceIDService"> <intent-filter> <action android:name="com.google.firebase.INSTANCE_ID_EVENT"> </action> </intent-filter> </service> <service android:name="io.flutter.plugins.firebasemessaging.FlutterFirebaseMessagingService"> <intent-filter> <action android:name="com.google.firebase.MESSAGING_EVENT"> </action> </intent-filter> </service> <service android:exported="true" android:name="com.google.firebase.messaging.FirebaseMessagingService"> <intent-filter android:priority="-500"> <action android:name="com.google.firebase.MESSAGING_EVENT"> </action> </intent-filter> </service> <service android:exported="true" android:name="com.google.firebase.iid.FirebaseInstanceIdService"> <intent-filter android:priority="-500"> <action android:name="com.google.firebase.INSTANCE_ID_EVENT"> </action> </intent-filter> </service>————————————————————
Important Exported activites, services and broadcast receivers list Description
List of all exported components in the application. Exported component are accessible to external applications and present an entry point to the application.
Recommendation
This entry is informative, no recommendations applicable.
References • Content Provider (Android Developper Documentation) • Activity (Android Developper Documentation) • Broadcast Receiver (Android Developper Documentation) • Service (Android Developper Documentation)