How to reduce the possibility/completely prevent the possibility of reverse engineering a flutter app?

Question

I recently read a couple of blogs and realized that apart from obsufication there is no proper way by which we can prevent the reverse engineering of a Flutter app.

Is there any manual or proper way to ensure that atleast the encryption logic of storing certain encrypted values in Sharedpreferences remains untraceable or impossible to decode/know?

It would be great if there could be some way to make the entire logic of the app untraceable.

No that's not possible. You can only make it more difficult but not impossible. Instead, I highly suggest you don't store sensitive information in your app/app data — Zun, Dec 10 '19 at 08:38
I thought that Sharedpreferences would be a safe place to store the information...Provided the phone isn't rooted — Father-in-law of Stackoverflow, Dec 10 '19 at 08:47
here are some ways to obfuscate https://stackoverflow.com/questions/50542764/how-to-obfuscate-flutter-apps — Panduranga Rao Sadhu, Dec 10 '19 at 08:48
Why do you not use common encryption algorithms and generate keys in ways it is currently being done? — creativecreatorormaybenot, Dec 10 '19 at 08:49
@creativecreatorormaybenot What if the client is able to access or decode or know the logic which is being used in for encryption? Can a phone be rooted while it's on? Is there any way to access sharedpreferences without root? — Father-in-law of Stackoverflow, Dec 10 '19 at 09:07
Any sensitive operations should only be done at the server end. App is meant to contain only UI code. In your case you can still run your complex sensitive operations in the backend and continuously stream the data to the frontend. Doing massive amount of activity on the app might not be good for the battery life as well — Panduranga Rao Sadhu, Dec 10 '19 at 11:23

score 0 · Accepted Answer · answered Dec 10 '19 at 09:04

0

I would recommend having the logic behind the app residing on a back-end server then push the results into the client app.

I have my application doing the calculations on cloud functions with a database trigger then push the result into the database where i have the client listening for the changes. Even my payments processing is done from the server.

answered Dec 10 '19 at 09:04

David Innocent

606
5
16

Is there any way the client can listen to or track the network calls being made through his phone? – Father-in-law of Stackoverflow Dec 10 '19 at 09:15
what do you mean by network calls? – David Innocent Dec 10 '19 at 09:17
The HTTP requests that are made from that client's device, the results perhaps... – Father-in-law of Stackoverflow Dec 10 '19 at 09:24
A client can do anything you want it to do @Father-in-lawofStackoverflow... your biggest problem will be how it operates with the data. For me what i advocate for is, just store insensitive data offline. Sensitive data should never reside on the device. – David Innocent Dec 10 '19 at 09:24
For me using FIrebase is a little bit safer because am putting my trust in a well researched service. I don't think i can create a better client-server service like the way google have. So i just don't reinvent the wheel... – David Innocent Dec 10 '19 at 09:26
I just want to store the encrypted data as long as the app is active (in background too). Can the client know what what is the original value once it's decrypted for use? – Father-in-law of Stackoverflow Dec 10 '19 at 09:30
Even I'm using firebase but I need a specific sensitive value for an operation to constantly be performed until the client wishes to stop the operation. – Father-in-law of Stackoverflow Dec 10 '19 at 09:44

How to reduce the possibility/completely prevent the possibility of reverse engineering a flutter app?

1 Answers1