Flutter Tips: SSL Pinning in Flutter
I’ve been learning security on Flutter for a week. SSL Pinning is one of the issues in my project.
Disclaimer: I'm not a security expert, I’m a mobile developer. Let me know if there’s anything wrong with my article.
What kind of SSL Pinning?
The basic concept of SSL Pinning is to validate the certificate when the app requests to the API. SSL Pinning recommends by OWASP to prevent the Man In The Middle Attack (MITM).
Is it Possible to Pin SSL in Flutter?
The most possible solution for SSL Pinning in Flutter is usingSecurityContext class. In the SecurityContext, certificates and keys that can be used are PEM and PKCS12. We can use setTrustedCertificatesByte to trust the certificate or we can useHttpClient.badCertificateCallback as an alternative.
Other ways to pin the SSL are using the ssl_pinning_plugin or write the native code in the Android layer and iOS layer.
SecurityContext
To validate the certificate we should set the SecurityContext to not trust the OS’s certificate, then load the certificate file, and trust the specific certificate.
Or we can override the HTTP to handle badCertificateCallback.
if you use the DIO Plugin you can see the documentation.
In native development, we usually use public key pinning. I found the issue and still open in Flutter. I don't know this is the proper solution or not, my app still on a security check, but I talked to my friend He is also a Fluter Developer. He uses this method and passed the security test.
SSL Pinning Plugin
To use this plugin you can see the documentation. For every request to the server, you need to make another request to validate the SSL This plugin use SHA-1 or SHA-256 fingerprint to validate the SSL.
I think another way to do the SSL Pinning is to write the native code in the Android layer and iOS layer. But I haven't tried yet. Let me know if you have any proper solution to do the SSL Pinning.
Thanks for reading,
stay safe, stay healthy.
Another Flutter Tips Series:
