1. Know What You Are Using
Flutter community is good. Many useful and good quality packages on pub.dev are ready on hand by many open source maintainers. The frontend application development is fast and easy now. Although many packages are in good quality and continuously maintained, it is no harm to take a second to review who publish it, the maintain status and if possible how is the source code. Since the code is written by third party, it is recommended to take a look at least lower the possibility of using vulnerability code. Especially, when you are developing application handles sensitive user data, a vulnerable can be a risk of data leakage.
2. Keep Every Things Up-to-date
Nothing is perfect. Both the official and third party framework and packages keep releasing new version for security fixes and patches for vulnerabilities. Trying to keep flutter version and packages to the latest version can make the application having better protection.
3. Restrict Network Traffic
Controlling network travel between the known server and your app can avoid unexpected connection perform risky move. For example, Android can take a look to the Network Security Configuration which is a xml config defined in the Android project about backlisting and whitelisting domain and traffic. IOS has similar config on info.plist
for trusted domain and traffic, you may take a look at NSAppTransportSecurity.
4. Encrypt Sensitive Data Before Boxing
Sometimes we may force to store sensitive data on local, encryption before storing is a good practice to avoid data leakage. Some popular packages provide easy method on store data with encryption, for example, flutter_secure_storage, encrypted_shared_preferences and hive (database) provide encrypted data storage methods, but as mentioned previously this related to sensitive data, do take a little time to understand the crypto methods the packages are using on different platforms to define whether it fits what you expected.
5. Obfuscate when Release
Try to turn on the obfuscate option when building release version. This can make the reverse engineering on flutter app harder.
Currently only Android, IOS and MacOS is supported the obfuscate options.
flutter build <support apk, appbundle, ipa, ios and ios-framework> --obfuscate --split-debug-info=/<project-name>/<directory>
On Android, it is recommend also enable the proguard which can obfuscate the Android native code and also minimise the size of Android app.
/android/app/build.gradle
android {
buildTypes {
release {
// Enables code shrinking, obfuscation, and optimization for only
// your project's release build type.
minifyEnabled true
// Enables resource shrinking, which is performed by the
// Android Gradle plugin.
shrinkResources true
// Includes the default ProGuard rules files that are packaged with
// the Android Gradle plugin. To learn more, go to the section about
// R8 configuration files.
proguardFiles getDefaultProguardFile(
'proguard-android-optimize.txt'),
'proguard-rules.pro'
}
}
}
/android/app/proguard-rules.pro
# Flutter
-keep class io.flutter.app.** { *; }
-keep class io.flutter.plugin.** { *; }
-keep class io.flutter.util.** { *; }
-keep class io.flutter.view.** { *; }
-keep class io.flutter.** { *; }
-keep class io.flutter.plugins.** { *; }
# Any other classes the packages mentioned
As far as I know, there are mobile security companies provide paid flutter app obfuscate solutions which can also be taken on consideration for highly secure application.