Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
As app publishers look to reduce development time, lower costs, and standardize user experiences across platforms, mobile app development teams have increasingly turned to hybrid development. Flutter – a cross-platform mobile app software development kit – enables app developers to build native apps for Android, iOS, and other platforms using a single codebase.
Clearly, Flutter presents a number of benefits for mobile app developers. But an area that should not be overlooked is the security risks that still exist since a streamlined approach to mobile app development doesn’t prevent malicious actors from reverse engineering or tampering with your app.
Why is this protection needed now? An increasing number of companies are adopting Flutter across industries, including financial services, healthcare, media, entertainment, e-commerce and retail. Growing popularity means more money at stake, so malicious actors are increasingly attacking Flutter apps using reverse engineering and tampering for financial gains, to steal IP, and more. Many in the Flutter community recognized the need for adequate app security, and Guardsquare had the mobile app security expertise to deliver a solution. After hearing the Flutter community was looking for a solution to mitigate these risks, Guardsquare has extended its mobile app protection solutions, DexGuard (Android) and iXGuard (iOS), to support application hardening capabilities for Flutter apps.
Flutter is seeing steady adoption because the framework enables developers to build high-performance native apps with fewer resources required than developing separate apps using native tooling. And, since most mobile apps are offered on multiple mobile platforms, leveraging a cross-platform development kit ensures a consistent user experience.
But there is, admittedly, a challenge with Flutter. Since Flutter apps are compiled directly into native code, there’s a perception that they’re more secure. The reality, however, is different. Attackers who know how to reverse engineer binaries can easily target Flutter apps as well. After all, these native apps still require access to operating system functionality via system libraries, which introduces additional risks.
Similar to other programming languages like Kotlin, Dart (the programming language used within the Flutter framework), generates a lot of metadata which exposes quite a bit of sensitive data about the inner workings of the app. Malicious actors can utilize this information to reverse engineer the app.
Last, but not least, every Flutter app is shipped with the Flutter engine, which is in charge of rendering the UI, dealing with system I/O, and more. This engine can easily get swapped out by malicious actors to generate totally different app behavior without modifying the source code. If not addressed properly with application hardening, these aspects specific to Flutter could pose significant risks to app publishers.
TL;DR: Flutter is a more cost-effective way to build native apps, but since Flutter has the same attack surface as traditional mobile apps, application hardening is essential to protect against reverse engineering and tampering. These types of attacks can have a negative business impact such as financial losses, brand damages, IP theft and more.
By leveraging Guardsquare’s protection solutions, mobile apps built on Flutter benefit from:
Some developers consider implementing custom security measures using the app shrinker and obfuscator that ships with Flutter, but this approach provides just a single layer of protection and that is not enough to shield mobile apps. Instead, Guardsquare’s solutions automatically apply several layers of obfuscation to better protect Flutter apps from reverse engineering and static attacks.
Additionally, the protections that DexGuard and iXGuard provide are applied differently with every new build; known as polymorphic protection, it essentially resets the clock on malicious actors with every new release of your app
Along with code obfuscation to defend against static attacks, the protections inject runtime application self-protection (RASP) checks into Flutter apps as well. Guardsquare’s solutions can detect debuggers, rooted or jailbroken devices, and ensure code integrity, among others, while protected Flutter apps are actively used.
Guardsquare’s team of security experts are constantly monitoring the evolving threat landscape to stay ahead of malicious actors. Doing so allows DexGuard and iXGuard to be updated to protect your app in the ever-evolving security landscape. This level of security is time-consuming for mobile development teams to implement on their own, so it makes sense to leave it to mobile app security experts.
Best of all, it’s easy to get started. Flutter support is fully embedded in both DexGuard and iXGuard, so developers can include their Flutter security configuration in addition to the native Android (Kotlin/Java) and iOS (Swift/Objective-C) code.
Guardsquare delivers comprehensive security tooling for mobile application development teams. With Flutter support, DexGuard and iXGuard continue to provide developer-friendly security solutions to protect mobile apps, regardless of how they’re built and where they’re published.
*Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC