Skip to content

Instantly share code, notes, and snippets.

@dhruvilp

dhruvilp/secure.md

Last active April 1, 2023 20:52
Show Gist options
  • Save dhruvilp/16b09482216b33bc98b833cb9f047fab to your computer and use it in GitHub Desktop.
Save dhruvilp/16b09482216b33bc98b833cb9f047fab to your computer and use it in GitHub Desktop.
Download ZIP
Flutter OWASP top 10 & security checks
Raw
secure.md
  1. Improper platform usage: ask for permissions to use on-device resources (ex: camera, location)
  2. Secure storage: pub pkg -- flutter_secure_storage, hive, secure_application
  3. Insecure communication: http_certificate_pinning, ssl_pinning_plugin (ssl/tsl cert based)
  4. Insecure authentication: local_auth
  5. Insufficient cryptography: only use NIST approved encryption algos encrypt, crypto
  6. Insecure authorization
  7. Client code quality checks - vulnerability/maintainability checks (static and dynamic security checks)
  8. Code tempering: flutter_jailbreak_detection
  9. Reverse engineering: check if IDA Pro & Hopper can de-obfuscate your code; use --obfuscate while building a flutter app, also use binary build which are hard to decompile
  10. Extraneous functionality: check logs for info leaks about backend or any silly hard-coding PI data. Use RASP (runtime analysis self-protection) freerasp pkg to check against security leaks
  11. Flush in-memory cache frequently
  12. Small App Window (view which allows to switch between apps): Android:
import android.view.WindowManager.LayoutParams;
getWindow().addFlags(LayoutParams.FLAG_SECURE);

iOS:

- (void)applicationWillResignActive:(UIApplication *)application {
  self.window.hidden = YES;
}
- (void)applicationDidBecomeActive:(UIApplication *)application {
  self.window.hidden = NO;
}

Android App Security Checklist:

https://github.com/muellerberndt/android_app_security_checklist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment