January 29, 2021
Mobile security is one of the core pillars of any mobile app build. With more people than ever using smartphones for a wide range of services and cyber threats becoming more sophisticated than ever, it’s important to consider key aspects of security during your build, including authentication, data leakage and passwordless options.
In this blog, we’ve focused on what to consider when building apps with Flutter, although these principles stand regardless of the framework you’re using, and the probability of a passwordless future.
Flutter is a popular cross-platform framework for developers, and at Sush Labs we use it regularly to build apps for iOS, Android and web. The development framework is known for its functionality, efficiency, and range of security plugins and protocols. This includes features that ensure your app has robust authentication and protects against cyber attacks and data loss.
Flutter provides developers with official authentication plugins. For instance, you can integrate a sign-in plugin to ensure the app user is a true user. Of the plugin options there are those that ask the user to have a specific password for the app, or sign in via their Google account. There are also more advanced options that utilise biometrics such as touch or face ID. An app development company specialising in Flutter can further personalise the authentication plugin for your particular use case.
A mobile app can provide access to the user’s IDs, passwords, PIN, financial details and more, so an app with weak security becomes a significant risk for leaking sensitive data. To combat this, Flutter provides a secure data storage plugin for the leading operating systems - NSUserDefault for IOS and SharedPreferences for Android. Despite this, it is recommended for users to avoid storing data such as passwords and PINs on their phone, and set up a time to automatically clear an expired data cache to minimise risk of data leakage.
To protect against session ID attacks by unauthorised users, Flutter integrates TouchID for iOS and FP Sensor for Android apps. Furthermore, to protect against code injections, Flutter plugins come with the required permissions that are already baked into the plugin code. In fact, one of the most common attacks by hackers is code injections. This is where the assailant accesses the database of the app and inserts unauthorised codes into the existing code, which can then cause issues such as data loss or corruption, a takeover of the app or denial of access. With Flutter, if you are integrating officially approved plugins you should be safe against this type of attack, however it is still advised to employ the services of a mobile app development company to ensure the security of your app is robust and hacker-proof.
The FIDO Alliance is becoming a common name in the conversation around digital security. The FIDO Alliance is an organisation focused on creating standards for security and encouraging a decentralised privacy by design structure. This is the type of system that removes passwords and puts the power back in the hands of the user.
The idea is that the user’s passwords and PINs are no longer stored centrally by a company, but on their own devices. This means the user themselves has a private key and can choose who has access to this information, and how they want to authenticate themselves - for instance whether they have a facial scan or fingerprint reader such as FaceID or TouchID.
When it comes to implementing FIDO for your own mobile or web app, you can implement biometrics or a U2F security key. As promised by the FIDO Alliance, the FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. As a result, this mode of authentication removes the risk of phishing, man in the middle attacks, password theft and replay attacks.
Analysts and researchers in the field of authentication and security state that users are hesitant to explore new modes of protection. However, national and global trends point to the fact that passwords will eventually be obsolete - they can be cracked, are stored on one central server and are easy to forget. In the near future, users will increasingly use sensor-based technology tools as developers implement more machine learning, biometrics, geolocation and other intelligence layers for more failsafe authentication and overall greater security.
When it comes to security, specialised developers have an understanding of what best suits your app build - be it biometrics or Flutter plugins - and know how best to integrate this so the user experience is front and centre alongside robust security. Your development partner will have an understanding of the process and be able to deliver an app to your specifications, while also ensuring a seamless user experience.
Initiate the discussion now
Get in touch with an expert at Sush Labs.