Flutter Security Analyser

🛡️ Automated security vulnerability detection for Flutter applications based on OWASP MASVS standards

Flutter Security Analyser is a VS Code extension that automatically detects security vulnerabilities in your Flutter projects. It analyzes your Dart code, native configurations, and dependencies in real-time, identifying common security issues across 7 OWASP MASVS categories with 46+ security rules.

✨ Features

🔍 Automatic Flutter Project Detection

• Activates only when a Flutter project is detected (pubspec.yaml with Flutter SDK)
• Supports multi-platform Flutter projects (Android, iOS, Web, Desktop)
• Works seamlessly with Flutter workspaces

🔐 Comprehensive Security Analysis

Analyzes 7 OWASP MASVS Categories with 46+ Security Rules:

🔴 MASVS-STORAGE (Storage & Secrets) - 16 rules

• Hardcoded Secrets: Detects API keys, tokens, passwords, private keys, encryption keys
• Insecure Storage: Identifies unencrypted SharedPreferences, file writes, JWT storage
• Sensitive Data Logging: Finds passwords, tokens, API keys in print/log statements
• Security TODOs: Highlights unresolved security-related comments

🔵 MASVS-NETWORK (Network Security) - 8 rules

• HTTP Cleartext Traffic: Detects HTTP instead of HTTPS connections
• Missing Certificate Pinning: Identifies HTTP clients without SSL pinning
• Disabled Certificate Validation: Finds badCertificateCallback bypasses
• Insecure WebSockets: Detects ws:// instead of wss://
• WebView Mixed Content: Identifies HTTP loads in HTTPS WebViews
• Native Config Issues: Analyzes AndroidManifest.xml and Info.plist for cleartext traffic

🟣 MASVS-CRYPTO (Cryptography) - 7 rules

• Weak Hashing: Detects MD5, SHA1 usage (recommends SHA-256+)
• Hardcoded Encryption Keys: Finds encryption keys in source code
• Weak Random: Identifies non-secure Random() for cryptographic operations
• ECB Mode: Detects insecure Electronic Codebook cipher mode
• Weak Ciphers: Finds DES, 3DES, RC4, Blowfish usage
• Missing IV: Detects encryption without Initialization Vector
• Weak Key Derivation: Identifies PBKDF2 with insufficient iterations

🟢 MASVS-AUTH (Authentication) - 4 rules

• Weak Session Management: Detects session tokens without expiration
• Missing Biometric Auth: Recommends biometric authentication for sensitive apps
• OAuth without PKCE: Identifies OAuth flows missing Proof Key for Code Exchange
• JWT Without Verification: Finds JWT decode without signature verification

🟡 MASVS-CODE (Input Validation & Injection) - 8 rules

• SQL Injection: Detects SQL queries with string interpolation
• Missing Input Validation: Identifies TextFields without validators
• Path Traversal: Finds file paths constructed from user input
• WebView XSS: Detects unsanitized HTML/JS content in WebViews
• Command Injection: Identifies Process.run() with unsanitized user input
• Unvalidated URL Redirects: Finds navigation with user-controlled URLs
• ReDoS Risk: Detects complex regexes vulnerable to DoS attacks
• Unsafe Deserialization: Identifies JSON decode without error handling

🟠 MASVS-PLATFORM (Platform Integration) - 5 rules

• Unsafe Image Picker: Detects image picker paths used without validation
• File Selector Issues: Identifies file picker paths without sanitization
• URL Launcher Without Validation: Finds launch() without scheme validation
• Excessive Android Permissions: Analyzes AndroidManifest.xml for unnecessary permissions
• iOS Privacy Permissions: Checks Info.plist for privacy-sensitive permissions

⚫ MASVS-RESILIENCE (App Hardening) - 3 rules

• Missing Device Check: Recommends root/jailbreak detection packages
• Android Debuggable: Detects debuggable flag in production builds
• Insecure Backup: Identifies backup enabled without encryption rules

🛠️ Quick Fixes (Auto-Remediation)

• Automatic Fixes: One-click solutions for common violations
  • Convert SharedPreferences → FlutterSecureStorage with imports
  • Replace http:// → https://
  • Change Random() → Random.secure()
  • Replace weak hashes: MD5/SHA1 → SHA-256
  • Remove or comment out sensitive log statements
  • Add input validators to TextFields
  • Convert ws:// → wss:// for WebSockets
• Ignore Options: Suppress specific rules or violations
  • // security-ignore-line (inline)
  • // security-ignore: RULE-ID (next line)
  • Global ignore via settings

🎨 Custom Security Rules (YAML DSL)

• YAML Configuration: Define custom rules without coding
• Flexible Patterns: Multiple regex patterns per rule
• Custom Severity: Set critical, major, warning, or info
• MASVS Mapping: Align with OWASP categories
• Hot Reload: Reload rules without restarting VS Code
• Template Provided: security_rules.yaml with examples

🔍 Native Configuration Analysis

• Android: Analyzes AndroidManifest.xml for:
  • Cleartext traffic enabled
  • Debuggable flag in production
  • Insecure backup configuration
  • Excessive permissions (CAMERA, LOCATION, etc.)
• iOS: Analyzes Info.plist for:
  • App Transport Security disabled
  • Privacy-sensitive permission requests
  • NSAllowsArbitraryLoads violations

📊 Real-time Diagnostics

• Violations displayed in VS Code's Problems panel
• Color-coded severity levels (Error, Warning, Info)
• Detailed descriptions with OWASP MASVS references
• Suggested fixes for each violation
• Status bar integration showing issue counts

⚡ Smart Analysis

• Auto-analyze on save: Instant feedback as you write code
• Debounced file watching: Optimized performance
• Incremental analysis: Only analyzes changed files
• Configurable file limits: Prevents performance issues on large projects

📦 Installation

1. Open VS Code
2. Go to Extensions (Ctrl+Shift+X / Cmd+Shift+X)
3. Search for "Flutter Security Analyser"
4. Click Install

Or install from VSIX:

code --install-extension flutter-security-analyser-0.0.1.vsix

🚀 Usage

Automatic Analysis

The extension automatically activates when you open a Flutter project and analyzes:

• All .dart files on workspace load
• Files as you edit and save them
• pubspec.yaml for missing security packages

Manual Commands

Access via Command Palette (Ctrl+Shift+P / Cmd+Shift+P):

• Flutter Security: Analyze Workspace - Scan all Dart files and native configs in the workspace
• Flutter Security: Analyze Current File - Analyze only the active file
• Flutter Security: Clear All Diagnostics - Remove all security warnings
• Flutter Security: Reload Custom Rules - Reload security_rules.yaml without restarting VS Code

Status Bar

The status bar shows:

• 🛡️ No issues: Flutter Security: No issues
• ⚠️ Issues found: Flutter Security: X issues (click to re-analyze)
• 🔄 Analyzing: Analyzing... (during scan)

⚙️ Configuration

Configure via VS Code settings (File > Preferences > Settings):

{
  // Enable/disable the extension
  "flutterSecurityAnalyser.enabled": true,
  
  // Default severity level: "error" | "warning" | "info"
  "flutterSecurityAnalyser.severity": "warning",
  
  // Enforcement level: "inform" | "enforce" | "hardened"
  "flutterSecurityAnalyser.enforcementLevel": "inform",
  
  // Auto-analyze files on save
  "flutterSecurityAnalyser.autoAnalyze": true,
  
  // Maximum files to analyze (prevents performance issues)
  "flutterSecurityAnalyser.maxFilesToAnalyze": 1000,
  
  // Globally ignored rule IDs
  "flutterSecurityAnalyser.ignoredRules": [
    // Example: "CRYPTO-3-WEAK-RANDOM"
  ]
}

Custom Rules Configuration

Create a security_rules.yaml file in your workspace root, .vscode folder, or config folder:

version: "2.0.0"

rules:
  # Custom rule example
  - id: "CUSTOM-FIREBASE-CONFIG"
    category: "MASVS-STORAGE"
    name: "Hardcoded Firebase Configuration"
    description: "Firebase configuration keys detected in source code"
    severity: "critical"
    type: "hardcoded-secret"
    patterns:
      - "(?:apiKey|projectId|messagingSenderId)\\s*:\\s*['\"][^'\"]{20,}['\"]"
    message: "Hardcoded Firebase config detected. Use environment variables."
    fix: "Store Firebase config in .env file and use flutter_dotenv package"
    fileTypes:
      - ".dart"
    reference: "https://mas.owasp.org/MASVS/05-MASVS-STORAGE/"

Reload custom rules with: Flutter Security: Reload Custom Rules

Enforcement Levels (Future)

Level	Behavior
inform	Show warnings only (current v1.0)
enforce	Block builds with critical violations (v2.0)
hardened	Strict mode + audit logging (v3.0)

📋 Security Rules (46+ Rules)

1️⃣ MASVS-STORAGE (Storage & Secrets) - 16 Rules

Rule ID	Severity	Description	Quick Fix
MASVS-STORAGE-1-API-KEY	🔴 Critical	Hardcoded API key detected	✅ Manual
MASVS-STORAGE-1-SECRET	🔴 Critical	Hardcoded secret token detected	✅ Manual
MASVS-STORAGE-1-TOKEN	🔴 Critical	Hardcoded authentication token	✅ Manual
MASVS-STORAGE-1-PASSWORD	🔴 Critical	Hardcoded password in code	✅ Manual
MASVS-STORAGE-1-PRIVATE-KEY	🔴 Critical	Private key in source code	✅ Manual
MASVS-STORAGE-2-SHARED-PREFS	🔴 Critical	Unencrypted SharedPreferences usage	✅ Auto-Fix
MASVS-STORAGE-2-FILE-WRITE	🟠 Major	Writing sensitive data to file	❌ Manual
MASVS-STORAGE-3-LOG-TOKEN	🟠 Major	Logging authentication tokens	✅ Auto-Fix
MASVS-STORAGE-3-LOG-PASSWORD	🔴 Critical	Logging passwords	✅ Auto-Fix
MASVS-STORAGE-3-LOG-API-KEY	🟠 Major	Logging API keys	✅ Auto-Fix
MASVS-STORAGE-3-LOG-CREDENTIALS	🔴 Critical	Logging user credentials	✅ Auto-Fix
MASVS-STORAGE-4-PREFS-SENSITIVE	🟡 Warning	Potentially sensitive data in preferences	❌ Manual
MASVS-STORAGE-4-JWT-STORAGE	🟠 Major	JWT token storage not secured	❌ Manual
MASVS-STORAGE-5-TODO-SECURITY	ℹ️ Info	Security-related TODO comment	❌ None

Pubspec.yaml Analysis:

• MASVS-STORAGE-MISSING-SECURE-STORAGE | 🟠 Major | Missing flutter_secure_storage package

2️⃣ MASVS-NETWORK (Network Security) - 8 Rules

Rule ID	Severity	Description	Quick Fix
NETWORK-1-HTTP-CLEARTEXT	🔴 Critical	HTTP connection instead of HTTPS	✅ Auto-Fix
NETWORK-2-CERT-PINNING-MISSING	🟠 Major	HTTP client without certificate pinning	❌ Manual
NETWORK-3-BAD-CERT-CALLBACK	🔴 Critical	Certificate validation disabled	❌ Manual
NETWORK-4-WEBSOCKET-INSECURE	🟠 Major	Insecure WebSocket (ws://)	✅ Auto-Fix
NETWORK-5-WEBVIEW-MIXED-CONTENT	🟡 Warning	WebView loading HTTP content	❌ Manual
NETWORK-6-ANDROID-CLEARTEXT	🔴 Critical	Android cleartext traffic enabled	❌ Manual
NETWORK-7-IOS-ATS-DISABLED	🔴 Critical	iOS App Transport Security disabled	❌ Manual
NETWORK-8-API-ENDPOINT-HTTP	🟠 Major	API endpoint using HTTP	✅ Auto-Fix

3️⃣ MASVS-CRYPTO (Cryptography) - 7 Rules

Rule ID	Severity	Description	Quick Fix
CRYPTO-1-WEAK-HASH	🔴 Critical	Weak hashing algorithm (MD5/SHA1)	✅ Auto-Fix
CRYPTO-2-HARDCODED-KEY	🔴 Critical	Hardcoded encryption key	❌ Manual
CRYPTO-3-WEAK-RANDOM	🟠 Major	Non-secure random number generator	✅ Auto-Fix
CRYPTO-4-ECB-MODE	🔴 Critical	ECB cipher mode (insecure)	❌ Manual
CRYPTO-5-WEAK-CIPHER	🔴 Critical	Weak cipher (DES/3DES/RC4/Blowfish)	❌ Manual
CRYPTO-6-MISSING-IV	🟠 Major	Encryption without initialization vector	❌ Manual
CRYPTO-7-KEY-DERIVATION	🟡 Warning	PBKDF2 with insufficient iterations	❌ Manual

4️⃣ MASVS-AUTH (Authentication) - 4 Rules

Rule ID	Severity	Description	Quick Fix
AUTH-1-WEAK-SESSION	🟠 Major	Session token without expiration	❌ Manual
AUTH-2-BIOMETRIC-MISSING	🟡 Warning	Login without biometric auth option	❌ Manual
AUTH-3-OAUTH-PKCE-MISSING	🟠 Major	OAuth without PKCE	❌ Manual
AUTH-4-JWT-NO-VERIFY	🔴 Critical	JWT decode without verification	❌ Manual

5️⃣ MASVS-CODE (Input Validation & Injection) - 8 Rules

Rule ID	Severity	Description	Quick Fix
INPUT-1-SQL-INJECTION	🔴 Critical	SQL query with string interpolation	❌ Manual
INPUT-2-NO-VALIDATOR	🟡 Warning	TextField without input validation	✅ Auto-Fix
INPUT-3-PATH-TRAVERSAL	🟠 Major	File path from user input (no validation)	❌ Manual
INPUT-4-WEBVIEW-XSS	🔴 Critical	WebView loading unsanitized HTML/JS	❌ Manual
INPUT-5-COMMAND-INJECTION	🔴 Critical	Process execution with user input	❌ Manual
INPUT-6-URL-REDIRECT	🟠 Major	Unvalidated URL redirect/navigation	❌ Manual
INPUT-7-REGEX-DOS	🟡 Warning	Complex regex (ReDoS risk)	❌ Manual
INPUT-8-DESERIALIZATION	🟡 Warning	JSON decode without error handling	❌ Manual

6️⃣ MASVS-PLATFORM (Platform Integration) - 5 Rules

Rule ID	Severity	Description	Quick Fix
PLUGIN-1-IMAGE-PICKER-PATH	🟠 Major	Image picker path without validation	❌ Manual
PLUGIN-2-FILE-SELECTOR-UNSAFE	🟠 Major	File selector path without validation	❌ Manual
PLUGIN-3-URL-LAUNCHER-VALIDATE	🟡 Warning	URL launcher without scheme validation	❌ Manual
ANDROID-3-EXCESSIVE-PERMISSIONS	🟡 Warning	Excessive Android permissions	❌ Manual
IOS-1-PRIVACY-PERMISSIONS	🟡 Warning	Privacy-sensitive iOS permissions	❌ Manual

7️⃣ MASVS-RESILIENCE (App Hardening) - 3 Rules

Rule ID	Severity	Description	Quick Fix
MASVS-RESILIENCE-MISSING-DEVICE-CHECK	🟡 Warning	No root/jailbreak detection package	❌ Manual
ANDROID-1-DEBUGGABLE	🔴 Critical	Android app is debuggable	❌ Manual
ANDROID-2-INSECURE-BACKUP	🟠 Major	Android backup without encryption	❌ Manual

Coverage Statistics

Category	Rules	Coverage
MASVS-STORAGE	16	✅ Complete
MASVS-NETWORK	8	✅ Complete
MASVS-CRYPTO	7	✅ Complete
MASVS-AUTH	4	✅ Core
MASVS-CODE	8	✅ Complete
MASVS-PLATFORM	5	✅ Core
MASVS-RESILIENCE	3	⚠️ Partial
Total	51	~75% OWASP MASVS

📖 Examples

Storage Security

❌ Bad: Hardcoded API Key

class ApiService {
  final String apiKey = "sk_live_1234567890abcdefghijk";  // ⚠️ CRITICAL
}

✅ Good: Secure Storage

import 'package:flutter_secure_storage/flutter_secure_storage.dart';

class ApiService {
  final storage = FlutterSecureStorage();
  
  Future<String?> getApiKey() async {
    return await storage.read(key: 'api_key');
  }
}

Network Security

❌ Bad: HTTP Cleartext

const apiUrl = "http://api.example.com/data";  // ⚠️ CRITICAL

✅ Good: HTTPS Only

const apiUrl = "https://api.example.com/data";  // ✓ SECURE

❌ Bad: Disabled Certificate Validation

HttpClient()
  ..badCertificateCallback = (cert, host, port) => true;  // ⚠️ CRITICAL

✅ Good: Certificate Pinning

import 'package:http_certificate_pinning/http_certificate_pinning.dart';

final client = HttpClient(
  certificatePinning: CertificatePinning([
    'sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
  ]),
);

Cryptography

❌ Bad: Weak Hashing

import 'package:crypto/crypto.dart';
final hash = md5.convert(data);  // ⚠️ CRITICAL - MD5 is weak

✅ Good: Strong Hashing

import 'package:crypto/crypto.dart';
final hash = sha256.convert(data);  // ✓ SECURE - SHA-256

❌ Bad: Non-Secure Random

final random = Random();  // ⚠️ MAJOR - Not cryptographically secure
final key = random.nextInt(1000000);

✅ Good: Secure Random

final random = Random.secure();  // ✓ SECURE
final key = random.nextInt(1000000);

Input Validation

❌ Bad: SQL Injection Risk

final result = await db.rawQuery(
  "SELECT * FROM users WHERE id = ${userId}"  // ⚠️ CRITICAL
);

✅ Good: Parameterized Query

final result = await db.rawQuery(
  "SELECT * FROM users WHERE id = ?",
  [userId]  // ✓ SECURE - Parameterized
);

❌ Bad: No Input Validation

TextField(
  controller: emailController,  // ⚠️ WARNING - No validation
)

✅ Good: With Validator

TextFormField(
  controller: emailController,
  validator: (value) {
    if (value?.isEmpty ?? true) return 'Required';
    if (!value!.contains('@')) return 'Invalid email';
    return null;
  },  // ✓ SECURE - Validated
)

🛣️ Roadmap

Version 1.0 ✅ (Released)

• ✅ Automatic Flutter project detection
• ✅ Real-time Dart file analysis
• ✅ Pubspec.yaml analysis
• ✅ MASVS-STORAGE rules (16 rules)
• ✅ VS Code diagnostics integration
• ✅ Status bar integration
• ✅ Ignore comments support

Version 2.0 ✅ (Current - February 2026)

• ✅ Quick Fixes: Auto-fix common violations (7 quick fixes)
  • ✅ Convert SharedPreferences → FlutterSecureStorage
  • ✅ Replace http:// → https://
  • ✅ Change Random() → Random.secure()
  • ✅ Replace weak hashes: MD5/SHA1 → SHA-256
  • ✅ Remove/comment sensitive log statements
  • ✅ Add TextField validators
  • ✅ Convert ws:// → wss://
• ✅ MASVS-NETWORK Rules: 8 rules for network security
  • ✅ HTTP cleartext detection
  • ✅ Certificate validation bypasses
  • ✅ Missing SSL pinning warnings
  • ✅ WebSocket security
  • ✅ Native config analysis (Android/iOS)
• ✅ MASVS-CRYPTO Rules: 7 cryptography rules
  • ✅ Weak hash detection (MD5, SHA1)
  • ✅ Hardcoded encryption keys
  • ✅ Weak random number generators
  • ✅ Insecure cipher modes (ECB)
  • ✅ Weak cipher algorithms
• ✅ MASVS-AUTH Rules: 4 authentication rules
  • ✅ Session management issues
  • ✅ OAuth/JWT security
  • ✅ Biometric auth recommendations
• ✅ MASVS-CODE Rules: 8 injection/validation rules
  • ✅ SQL injection detection
  • ✅ XSS in WebViews
  • ✅ Path traversal risks
  • ✅ Command injection
  • ✅ Input validation checks
• ✅ MASVS-PLATFORM Rules: 5 platform-specific rules
  • ✅ Plugin security (image picker, file selector)
  • ✅ Permission analysis (Android/iOS)
• ✅ Custom Rule Engine: YAML-based DSL
  • ✅ Define custom rules without coding
  • ✅ Hot reload support
  • ✅ Template with examples
• ✅ Native Config Analysis
  • ✅ AndroidManifest.xml scanning
  • ✅ Info.plist scanning
  • ✅ Cleartext traffic detection
  • ✅ Permission analysis

Total Coverage: ~75% OWASP MASVS (51 rules across 7 categories)

Version 3.0 (Future)

• 🔮 Build Blockers: Prevent insecure builds
  • Pre-commit hooks
  • CI/CD integration (GitHub Actions, GitLab CI)
  • Flutter task interception
• 🔮 Advanced Analysis
  • AST-based Dart parsing (reduce false positives)
  • Data flow analysis
  • Control flow analysis
  • Taint checking
• 🔮 Binary Analysis
  • APK scanning with apkanalyzer
  • IPA scanning with otool
  • Secrets in compiled artifacts
• 🔮 Runtime Checks
  • Emulator/simulator detection
  • Root/jailbreak detection
  • Debugger attachment detection
• 🔮 Advanced Features
  • ML-based false positive filtering
  • Severity scoring (CVSS)
  • Integration with SAST tools (SonarQube, Snyk)
  • Security dashboard/reporting

🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Submit a pull request

📄 License

MIT License - see LICENSE file for details

🔗 References

• OWASP MASVS - Mobile Application Security Verification Standard
• Flutter Security Best Practices
• flutter_secure_storage

📞 Support

• Issues: GitHub Issues
• Discussions: GitHub Discussions

---

Made with ❤️ for Flutter security