The nature of Flutter apps - combining your Dart code with the integrated Flutter engine - can make the task of reverse engineering more difficult for adversaries. But the risk still exists - an attacker simply needs the right experience to succeed.
DexProtector guards against reverse engineering from both static analysis and dynamic instrumentation. It uses code hardening techniques like encryption and obfuscation to stop decompilation and modifying. And its RASP checks detect jailbroken devices, emulators, and hooking frameworks like Frida - all of which can be used at runtime to carry out dynamic instrumentation. If any of these tools are detected by DexProtector, it won’t allow the app to start.
Since Dart uses standard platform APIs for network connectivity, Flutter apps are no more protected than native apps against man-in-the-middle attacks.
DexProtector uses a combination of SSL Pinning and Certificate Transparency checks to secure communications between your app and remote endpoints. It makes sure that communications from your app end up only at the genuine server - not at a malicious one a bad actor has set up.
Supply chain attacks
Flutter apps tend to get their libraries and dependencies from the pub.dev resource which is a repository of Dart and Flutter packages. The fact that you only need a Google account to publish there means that anyone with bad intentions could upload a malicious package that might later end up in your application.
AppCare is an innovative tool that comes with DexProtector Studio. You can use it to scan your application for existing, known vulnerabilities in libraries and dependencies. That way you can be sure that there’s no rogue code that can cause problems further down the line.