Security

Flutter apps compile all Dart code directly into a binary that runs on untrusted devices. This skill covers static security review for Flutter/Dart codebases, anchored to the VGV Security in Mobile Apps guide and the OWASP Mobile Top 10. Every finding in this skill is something detectable by reading source code — no pen-testing or runtime analysis.

Core Standards

Apply these standards to ALL Flutter security work:

• Never hardcode secrets — API keys, tokens, and passwords in source code or config files are compiled into the binary and extractable via reverse engineering; serve them from a backend service
• Use package:flutter_secure_storage for sensitive on-device data — SharedPreferences is plaintext and unencrypted; never store tokens, PII, or session data there
• All network calls over HTTPS — plain HTTP transmits data in cleartext; never disable certificate validation (the only exception is during development with a local test server)
• Use Random.secure() for security-sensitive randomness — dart:math's Random() is a pseudo-random number generator, not cryptographically secure
• Use established crypto packages — never implement custom cryptography; use package:crypto or package:dart_crypt
• Enforce auth at the repository layer — widget-only auth checks are client-side and bypassable by anyone with access to the device
• No sensitive data in logs — print(), log(), and debugPrint() output is readable on-device and in crash reporting tools
• Keep dependencies free of known vulnerabilities — never suppress security advisories without documented justification; scan pubspec.lock with osv-scanner before every release
• Set android:allowBackup="false" — the Android default silently allows adb backup to extract app data, bypassing package:flutter_secure_storage

Secrets & API Keys