Search

Technology

October 10, 2023

A Deep Dive into Flutter’s Security

Explore Flutter platform - Build38

BLOG ARTICLE

A Deep Dive into Flutter’s Security

For some time now, many frameworks for developing Mobile Applications have been emerging. These frameworks aim to be cross-platform, meaning that the developer implements the App’s code, and once compiled, it can run on various mobile platforms like Android or iOS. For the same App to run on both iOS and Android (as well as other platforms), the code must be compiled with certain characteristics and not be specific to a particular platform.

In this article Jordi Ventayol, one of Build38’s Security Engineers, will introduce Flutter—a framework that empowers developers to craft cross-platform code using DART. He will also examine Flutter’s security capabilities compared to the traditional approach of developing in the native languages of each platform.

Advantages of Flutter

The main advantages of Flutter is that the developer doesn’t have to worry about maintaining duplicate code for different environments, and the workload is greatly reduced by only having to maintain and polish a single codebase. This is just one of the many advantages of Apps developed in Flutter. This framework allows the developer to implement cross-platform code in a modern programming language called DART, which will compile and run on the platform selected in the production phase. In addition, the developer has the possibility to integrate platform-specific code to work with this cross-platform code, making Flutter a powerful and convenient framework.

Security Capabilities using Flutter

Many of these frameworks, like Flutter, are designed for convenience in development and deployment, which usually, and almost always, compromises security.

A clear example is React Native, a framework used to develop Applications for Android, iOS, Windows, and others, where the developer uses “React” in JavaScript as cross-platform code. The problem is that when a React Native-developed Application is decompiled, if the default launch process has been followed, you can retrieve the final Application’s JavaScript code, making reverse engineering very easy for an attacker.

But is this also the case with Flutter?

In the following weeks we will be publishing a series of posts, where we will analyze the security provided by an App developed in Flutter compared to the same App developed in the platform’s native languages. But before delving into security, let’s understand the structure of an App when it’s developed in the Flutter environment.

Basic Application development in Flutter

When creating a project, in addition to platform-specific folders: iOS, Android, MacOS, Linux, we have a folder called ‘lib’ with a ‘main.dart’ file. This file will implement our cross-platform DART code. A bit of experimentation shows that the DART code is very similar to Kotlin or Java, where you can define classes, methods, and import external libraries.

Deployment:
For this post and the following ones, we will focus only on iOS and Android as deployment platforms since they have the highest number of users in the market.

  • Android:
    If we extract the contents of the compiled APK Application, we see that in the libraries section, specifically for each architecture folder, we have the ‘libapp.so’ library containing our ‘main.dart’ code. We also have another library, ‘libflutter.so’, which we will discuss later.

  • iOS:
    Regarding iOS, if we extract the content from the IPA, we will see that the implemented ‘main.dart’ code has been compiled and translated to machine code in the ‘Frameworks’ folder -> ‘App.framework’ folder -> ‘App’ binary.

    We can also observe the ‘Frameworks’ folder -> ‘Flutter.framework’ folder -> ‘Flutter’ binary.

    Here we can clearly see how regardless of the dart classes we create, the compiled Application always generates these two libraries ‘App’ and ‘Flutter’.

    Remember these two binaries, as they will be important in the following posts when we dive deeper into analyzing security at the static level. For now, we’ve located our ‘main.dart’ code from development to production in ‘libapp.so’. Thus, we have the binaries ready to start the security analysis phase, something we will see in the second part of this series of posts.

Follow Build38 for in depth information on Flutter

In the following series of posts, we will look into the aspect of security, dissecting the inherent strengths and vulnerabilities of Flutter in comparison to the traditional, platform-native development approach. Flutter’s appeal lies not only in its ability to facilitate cross-platform development but also in its promise of adaptability and robustness. However, security remains an important concern, where data breaches and malicious attacks loom large.
SHARE

Related posts

Discover the next generation 
of mobile app security