Logo

Flutter Shield 🛡️ #

A comprehensive device security and vulnerability detection package for Flutter applications on Android and iOS.

Features #

Flutter Shield provides detection for 30+ security vulnerabilities across multiple categories:

Device Integrity (5 checks) #

✅ Rooted/Jailbroken device detection
✅ Debuggable app in production
✅ USB debugging enabled (Android)
✅ Emulator/Simulator detection
✅ Device malware exposure

Storage Security (6 checks) #

✅ Insecure local storage (SharedPreferences/UserDefaults)
✅ Sensitive data in plaintext
✅ Improper Keychain/Keystore usage
✅ Insecure file permissions
✅ External storage for sensitive data
✅ Backup enabled for sensitive data

Authentication (3 checks) #

✅ Weak biometric authentication handling
✅ Biometric bypass via device settings
✅ Screen lock/device PIN not enforced

UI Security (6 checks) #

✅ Screenshot not restricted
✅ Screen recording not restricted
✅ Clipboard data leakage
✅ Overlay attacks (Tapjacking)
✅ Background process data exposure
✅ Recent apps exposure

Communication (4 checks) #

✅ Insecure IPC
✅ Intent hijacking (Android)
✅ Broadcast receiver exposure (Android)
✅ Deep link hijacking

WebView (2 checks) #

✅ WebView debugging enabled
✅ WebView JavaScript interface abuse

Permissions & Runtime (3 checks) #

✅ Runtime permission validation
✅ Insecure autofill usage
✅ Sensor abuse (Camera, Mic, GPS)

Other (2 checks) #

✅ Trusting device time/locale
✅ Side-channel attacks

Installation #

Add this to your package's pubspec.yaml file:

dependencies:
  flutter_shield: ^1.1.3

Then run:

flutter pub get

Platform Setup #

Android #

Add to your android/app/build.gradle:

android {
    compileSdkVersion 33
    
    defaultConfig {
        minSdkVersion 21
        targetSdkVersion 33
    }
}

iOS #

Update your ios/Podfile:

platform :ios, '12.0'

Add privacy descriptions to ios/Runner/Info.plist if using sensor checks:

<key>NSCameraUsageDescription</key>
<string>We need camera access to verify security</string>
<key>NSMicrophoneUsageDescription</key>
<string>We need microphone access to verify security</string>
<key>NSLocationWhenInUseUsageDescription</key>
<string>We need location access to verify security</string>

Usage #

Full Security Check #

Run a comprehensive check covering all vulnerabilities:

import 'package:flutter_shield/flutter_shield.dart';

Future<void> checkSecurity() async {
  final report = await FlutterShield.performFullSecurityCheck();
  
  print('Total checks: ${report.totalChecks}');
  print('Vulnerabilities found: ${report.vulnerabilitiesFound}');
  print('Is secure: ${report.isSecure}');
  
  for (var vulnerability in report.vulnerabilities) {
    print('⚠️ ${vulnerability.type}: ${vulnerability.message}');
  }
}

Individual Checks #

Run specific security checks:

// Check for root/jailbreak
final rootCheck = await FlutterShield.checkRootedJailbroken();
if (rootCheck.isVulnerable) {
  print('Device is rooted/jailbroken!');
}

// Check if app is debuggable
final debugCheck = await FlutterShield.checkDebuggable();
if (debugCheck.isVulnerable) {
  print('App is running in debug mode!');
}

// Check for emulator
final emulatorCheck = await FlutterShield.checkEmulator();
if (emulatorCheck.isVulnerable) {
  print('Running on emulator!');
}

// Check USB debugging (Android)
final usbDebugCheck = await FlutterShield.checkUsbDebugging();

// Check biometric security
final biometricCheck = await FlutterShield.checkBiometricHandling();

// Check screenshot restriction
final screenshotCheck = await FlutterShield.checkScreenshotRestriction();

Handling Results #

Future<void> handleSecurityCheck() async {
  final result = await FlutterShield.checkRootedJailbroken();
  
  if (result.isVulnerable) {
    // Show warning to user
    showDialog(
      context: context,
      builder: (context) => AlertDialog(
        title: Text('Security Warning'),
        content: Text(result.message),
        actions: [
          TextButton(
            onPressed: () => Navigator.pop(context),
            child: Text('OK'),
          ),
        ],
      ),
    );
  }
}

Conditional Features #

Enable/disable features based on security status:

Future<bool> shouldEnableSensitiveFeature() async {
  final rootCheck = await FlutterShield.checkRootedJailbroken();
  final debugCheck = await FlutterShield.checkDebuggable();
  
  // Disable sensitive features on compromised devices
  if (rootCheck.isVulnerable || debugCheck.isVulnerable) {
    return false;
  }
  
  return true;
}

API Reference #

FlutterShield Class #

All methods are static and return Future<SecurityCheckResult> or Future<SecurityReport>.

Device Integrity

checkRootedJailbroken() - Detect rooted/jailbroken devices
checkDebuggable() - Check if app is debuggable
checkUsbDebugging() - Check USB debugging status (Android)
checkEmulator() - Detect emulator/simulator
checkMalware() - Basic malware detection

Storage Security

checkLocalStorage() - Check local storage security
checkPlaintextData() - Detect plaintext data storage
checkKeychainKeystore() - Validate keychain/keystore usage
checkFilePermissions() - Check file permission security
checkExternalStorage() - Check external storage usage
checkBackupEnabled() - Check backup configuration

Authentication

checkBiometricHandling() - Validate biometric implementation
checkBiometricBypass() - Check for biometric bypass
checkScreenLock() - Verify screen lock is enabled

UI Security

checkScreenshotRestriction() - Check screenshot prevention
checkScreenRecording() - Check screen recording prevention
checkClipboard() - Check clipboard security
checkOverlayAttack() - Detect overlay vulnerabilities
checkBackgroundDataExposure() - Check background data security
checkRecentApps() - Check recent apps exposure

Communication

checkIPC() - Check IPC security
checkIntentHijacking() - Check intent security (Android)
checkBroadcastReceiver() - Check broadcast receiver exposure (Android)
checkDeepLink() - Validate deep link security

WebView

checkWebViewDebugging() - Check WebView debugging
checkWebViewJavaScript() - Check WebView JavaScript security

Permissions & Runtime

checkRuntimePermissions() - Validate runtime permissions
checkAutofill() - Check autofill security
checkSensorAbuse() - Check sensor usage security

Other

checkDeviceTime() - Check device time trust
checkSideChannel() - Check side-channel vulnerabilities

SecurityCheckResult #

class SecurityCheckResult {
  final VulnerabilityType type;
  final bool isVulnerable;
  final String message;
  final Map<String, dynamic>? details;
}

SecurityReport #

class SecurityReport {
  final List<SecurityCheckResult> results;
  final DateTime timestamp;
  final int totalChecks;
  final int vulnerabilitiesFound;
  
  bool get isSecure;
  List<SecurityCheckResult> get vulnerabilities;
}

Best Practices #

Run security checks at app startup
Block sensitive features on compromised devices
Log security events for monitoring
Educate users about security risks
Regularly update the package for new threat detection

Limitations #

Some checks require app-specific implementation:

Keychain/Keystore validation needs your encryption logic
WebView checks require runtime WebView inspection
Some checks provide guidance rather than automated detection

Platform Differences #

USB Debugging: Android only
Intent Hijacking: Android only
Broadcast Receivers: Android only
External Storage: Android only (iOS uses sandboxed storage)
Jailbreak Detection: More reliable on iOS
Root Detection: More reliable on Android

Contributing #

Contributions are welcome! Please feel free to submit a Pull Request.

License #

This project is licensed under the MIT License - see the LICENSE file for details.

Security Disclosure #

If you discover a security vulnerability, please email [email protected]

Disclaimer #

This package provides security checks and detection mechanisms, but should not be the only security measure in your application. Always follow secure coding practices and implement defense-in-depth strategies.

flutter_shield 1.1.3 flutter_shield: ^1.1.3 copied to clipboard

Metadata