I’m looking to implement checksum-based protection to prevent code tampering in my Flutter app. Is there any Flutter plugin available for this, or should I implement it natively (Android and iOS)? What is the best approach to implement checksum verification to ensure the integrity of my app?
Any suggestions or examples would be greatly appreciated!
From what I understand, the main concern is reverse engineering or decompiling the app, which could allow someone to modify the code or resources. If the app is tampered with, the checksum of the app’s code or assets would change. I want to implement a mechanism to verify this checksum at runtime to detect if the app’s code has been altered, ensuring its integrity and protecting it from unauthorized modifications.
That would require you to read the binary of the installed app I think which I’m not sure that Android or iOS allow that.
Furthermore at least if you distribute via the app stores you should be pretty save from this.
What would be the scenario where this could get a problem=
Even with distribution outside the market, reading the executable is not secure as it can be swapped. The byte loader ( and launcher from verified bytes) should check the integrity and I doubt anyone outside a large team can write such tool.
Thanks for the insights! From what I understand, checksum verification doesn’t require reading the binary directly. Tools like app_integrity_checker seem to calculate a checksum during the build process and embed it into the app. At runtime, the app re-computes the checksum and compares it with the embedded reference to detect tampering.
The scenario I’m concerned about is when an app is extracted, modified, and redistributed (especially outside official app stores). Even for store-distributed apps, such tampering could still happen in rare cases.
Regarding the executable swapping concern, I agree it’s a challenge, but the checksum approach often focuses on specific files or assets that are more likely to be modified.
if someone is capable of performing other mods to your code, they are more than capable of disabling your checksum checking.
this is exactly how software has been pirated since the 70’s.
app_integrity_checker rely on IOSSecuritySuite for mostly detection of tooling used to tamper with memory and io at runtime.
The rest is hash and signature validation.
More than security, what dart apps really miss is signed library outside so what could be done is making a hash that contains print of the app bytes and part of the key. When the app load it check the coherence of the executable and these resulting hash.
Modifying the app require to be able to also regenerate the validation file thus having access to the private key.
I’m not aware of such solution in dart but I’m not an expert.
It doesn’t the app can just load the signature produced by the tool holding the private key applied to the distributed app. That’s what an app market are doing but they have a ‘loader’ to do the signature validation.
There is no single-bullet solution. Platform APIs can be hooked, and internal hardcoded constants can be found and replaced. What part of app do you need to protect? You can apply obfuscations on the C/C++ written parts of code that would keep the most valuable parts of your solution, + white box cryptography may help you a little bit. These solutions are tough to integrate, tho. A standard swiss army knife of security is a RASP shielding (e.g. check freeRASP to start with)
this brings me back to the obvious answer: if the code is so critical that you are concerned about tampering, move it to your server, and expose either an RPC or a REST API to access it.
Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.
Using contents of this forum for the purposes of training proprietary AI models is forbidden. Only if your AI model is free & open source, go ahead and scrape.