Skip to main content

App Security

1. Secure API Communication

Always use HTTPS (SSL/TLS) for all communication between your app and the server to ensure data is encrypted.

2. Hide WooCommerce Prefixes (for WooCommerce only)

The attacher could search the ck_ or cs_ from the encrypted file to find your app API key.

To prevent attackers from finding your API keys, remove the ck_ and cs_ prefixes.

In FluxBuilder: Update your WooCommerce API key settings here.

3. Use Firebase Remote Config

Instead of setting configurations in the app code (env.dart file), you can use the Firebase Remote config feature to store your configuration and load them remotely each time the application is opened only.

Refer to more details here 👉 Firebase Remote Config guide

For example, you can remove the WooCommerce API keys by following these steps:

  1. Enable Firebase Remote config and upload your settings to Firebase https://docs.fluxbuilder.com/firebase-remote-config

  2. Export your env.dart and config json file https://docs.fluxbuilder.com/import-export-and-other

  3. Open your env.dart and remove WooCommerce API key and save it again.

  4. Before submitting a new build on FluxBuilder, upload your env.dart and config json file manually here

  5. Submitting a new build and then checking the app again.

4. Obfuscating Dart code

Code obfuscation is the process of modifying an app’s binary to make it harder for humans to understand. Obfuscation hides function and class names in your compiled Dart code, making it difficult for an attacker to reverse engineer your proprietary app.

But obfuscation is NOT a security feature. It does not make an app fully secure. That’s why it is recommended for production builds, while keeping debugging manageable during development.

flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

Refer to more details https://flutter.dev/docs/deployment/obfuscate

However, FluxBuilder currently does not support building the app with code obfuscation yet. We will note this option to improve in the future.

5. Store your KeyStore securely

Please store your KeyStore file and key password securely. They are used to sign your application. Anyone with your key can re-sign an invalid application to commit wrong doing.

Additionally, this key is also used to upload your app to the Google Play Console. If you lose the key, you will need to submit a request to reset the uploaded key on the Google Play Console.

Have no KeyStore now? 👉 Refer to this guide.