BLOG
08 October 2020

Keep Your Mobile Application Safe with Flutter Encryption

tech

If you’ve been keeping an eye on the past year’s tech trends – surely you couldn’t have missed Flutter. The second topic comes and goes but always sticks around. Security. But have you ever wondered how they work together?

In this article, I’d like to brief you through some terminologies and show you how to make your Flutter app that much more secure.

What is Flutter?

Let’s start with a few words about Flutter. What is it exactly?

This is a software development kit created by Google based on the Dart programming language. It’s a tool for creating multiplatform apps from a single codebase. Such applications could run on Android, iOS, Linux, Mac, Windows, Google Fuchsia or as a web browser page. What’s more, is that Flutter is compiled to native code, so its execution is efficient.

Secured, how?

The topic of security is as broad as the Galaxy and as deep as the Mariana Trench. Today we’ll be focusing on data cryptography using symmetric and asymmetric algorithms.

We refer to symmetric cryptography algorithms when we use the same key for both encrypting & decrypting provided data. An example of this is AES encryption.

On the other hand, an asymmetric cryptography algorithm uses two different keys. One for encryption, with the second for decryption. The idea behind asymmetric is that one key is publicly available, termed the public key, while the other is kept hidden and called the private key. The simple idea is that once you encrypt data using one of the keys, only the second one could successfully decrypt data. A good instance here is RSA encryption.

On that note, I have good news! We’re going to utilize both types today.

Required dependencies

First things first, before encrypting or decrypting our data, we must prepare project dependencies. Many Flutter dependencies allow programmers to get the job done quickly. Cryptography is no different. For RSA, we’re going to need ‘rsa_encrypt’ for key generation. We will then need ‘encrypt’ to carry out the encryption itself. Since both rely on a lower level dependency, we’ll refer to Pointy Castle.

And if all you need is to encrypt some string using the AES algorithm, then you should opt for flutter_string_encryption. This allows you to generate symmetric keys and use it to encrypt or decrypt string data. We’ll, of course, use it to protect our RSA keys before storing them.

Oh, one more thing, all respectable modern Apps allows storing of data in a biometric guarded fashion. Luckily for us – pub.dev has us covered. We can use biometric_storage to do so.

So dependencies should look like this:

Encrypting and decrypting data

Now for the fun part. Let’s start with asymmetric encryption. First, we’ll need RSA keys. Generating them is as simple as these lines:

Just keep in mind that this will take some time, so it’s good to update UI and let your user know what’s going on.

Once we have ourselves a keyPair, we can create Encrypter object which will allow us to perform encryptions or decryptions. Just pass keyPair in the constructor like so:

Now, all that’s left is to invoke encrypt or decrypt on the encrypter and pass data on which operation should be performed. An example code looks like this:

Secure keys using Password

As I had mentioned before, I’d like to secure my RSA keys before storing them into persistent storage. In this case, Shared Preferences. To do so, I’ll use symmetric cryptography – AES. The AES Key will be generated based on a password, so it isn’t stored anywhere else other than user memory.

Just as before, it’s as easy as executing those lines of code

I almost forgot – you need to provide soil for the generation process. So you could either hard code it or generate it the first time you need it and store in persistent storage.

Now the RSA keys we received earlier need to be converted to PEM form so that we can encrypt them. Once that’s done, simply encrypt on an object of type PlatformStringEncryption with the RSA key PEM as one of the parameters and AES key as the second one. You can do that like so:

Secure keys using Biometric

Now allow me to show you once more the process of storing secured RSA keys to persistent storage. But this time, we’ll be involving biometrics. Just as before, we need to prepare RSA keys in the PEM format to allow encryption. After that, we’ll be using BiometricStorage from the biometric_storage library, where we will attain storage and perform the write operation. Keep note that users will be automatically prompted to pass biometric authentication when writing data into a secured file. The same will happen when you try to read from storage or delete it. One important note is that a write operation overrides current content, so if you wish to add something to storage, you need first to append your new data before writing it back.

Anyway, here is a code showing how to perform a write to such storage

Summary

I hope you’ve now learned how that easy it is to add additional security to your Flutter App through some basic cryptography. What’s more, is that you now know which tools to use and how to use it to achieve what you want.
Use the specially-created example app alongside this article as a point of reference. Be sure to check it out on the SoftwareHut GitHub page.

Read more about Flutter development

 



Author
Daniel Łojewski
Android / Flutter Technical Lead