The popularity of the Flutter mobile application framework has surged in recent years, thanks to its versatility and ease of use. However, because Flutter is still relatively new, accessibility issues frequently arise in applications created with it. Consequently, developers have resorted to hardcoding sensitive information, such as keys and secret credentials, directly into their applications. Unfortunately, this practice poses significant security risks, especially with the emergence of new reverse engineering tools that can compromise supposedly secure data.
One such tool is B(l)utter, designed specifically for reverse engineering Flutter applications. With B(l)utter, developers can extract metadata and analyze compiled code, revealing symbols represented through a combination of pseudo code and assembly instructions. Leveraging this tool, I conducted a statistical analysis of 100 Flutter applications and made alarming discoveries. Among them, seven applications contained hardcoded information, potentially exposing them to exploitation. Shockingly, one of these apps included a private cryptographic key belonging to a widely used application boasting over 5 million users.
These vulnerabilities have serious ramifications since they may provide unauthorized access to private information or services.
In this session, I aim to demonstrate the methodology behind my research. We will delve into the process of gathering Flutter applications, utilizing the B(l)utter tool, and analyzing the decompiled data. Furthermore, I will provide detailed insights into my findings, including developmental stage information, exposed cryptographic keys, access tokens, and API keys. Developers and other stakeholders must be aware of the dangers that hardcoded credentials bring, and they must act quickly to fix these vulnerabilities.
