Kotlin and Flutter Framework

Kotlin
Kotlin Libraries and Framework

1. Ktor

Ktor is a framework for creating a web application and microservices using Kotlin. Ktor can be
used by developers to develop a RESTful API that a mobile or web app can interact with via
HTTP request. Besides, HTML responses can be rendered directly using Ktor. Hence, a full-
stack web application can be build using Ktor.

Ktor is flexible and can work with other tools to create complicated applications. Ktor can be
utilised with SQL database to store data. Unfortunately, insufficient feature implementation
may expose the Ktor application to security risk such as SQL injection.

2. Spring

Spring is a well-known Java framework for developing microservices and general-purpose

web applications. New Spring project can be produced using Kotlin starting with the fifth
edition of the Spring project generation.

A Spring application may also be vulnerable to SQL injection and XSS attacks

3. Javalin

Javalin is a Java and Kotlin framework that supports WebSockets, async requests, and HTTP2.
One of Javalin's advantages is that it is ideal for developing RESTful APIs. For example, it
offers excellent OpenAPI compatibility and can be used with tools such as Swagger.
Furthermore, Javalin applications operate on Jetty, a prominent JVM web server.

Poorly optimized Javalin programmes may be subject to security concerns.

Common Security Attacks in Kotlin

1. SQL Injection

SQL injection occurs when an attacker modifies SQL queries on a website or application that
is vulnerable. The attacker typically chooses features that accept user inputs as their targets
for this kind of attack. For instance, the attacker may manipulate the ID value in a web
application's URL.

Validating user input before using it in SQL queries is an effective technique for preventing
SQL injection. The usage of ‘PreparedStatement’ is an additional approach for preventing
SQL injection.

2. Cross-site Scripting (XSS)

XSS enables users to insert malicious JavaScript code into a website. An attacker can utilise
many kinds of techniques, including pages that display user inputs, to carry out an XSS
attack.

For instance, on a website that lets users to reply to posts, the attacker might upload
malicious code utilising the reply option. Every time a regular user loads the page containing
the reply, the malicious code is then run.

One efficient way to stop XSS attacks is by validating and sanitizing user inputs.

3. Command Injection

In a command injection attack, malicious code is uploaded into the server by the attacker.
This code is then executed by the server or back end in the same way as regular application
code, giving the attacker access to data and other resources.

This type of attack can be done via user input. The attacker may inject code via a URL query
parameter. Avoiding the use of functions that execute commands in our code is a smart
practise for preventing command injection. Sanitization of user input can additionally lower
danger. (direct dari website)

4. Cross-Site Request Forgery (CSRF)

XSS enables users to insert malicious JavaScript code into a website. The attacker can
perform the attack using various ways, including pages that display user inputs. For example,
the attacker may submit malicious code using the reply feature on a website that allows
users to reply to posts. After that, whenever a regular user accesses the page containing the
response, the malicious code will run.

Validating and sanitizing user inputs is one useful technique for preventing XSS attacks.

(jadi pintu kepada every source of malicious script, advanced XSS in a way)
5. HTTP Strict Transport Security Header

Browsers can limit access to a site to just HTTPS requests by using the HTTP strict transport
security header. When using the insecure HTTP protocol, data transmission can be exposed.
Enable HTTPS on web apps to protect against tight transport security header-related
vulnerabilities.
Common Security Attacks in Kotlin

1. SQL Injection

SQL injection occurs when an attacker modifies SQL queries on a website or application that
is vulnerable. The attacker typically chooses features that accept user inputs as their targets
for this kind of attack. For instance, the attacker may manipulate the ID value in a web
application's URL.

Validating user input before using it in SQL queries is an effective technique for preventing
SQL injection. The usage of ‘PreparedStatement’ is an additional approach for preventing
SQL injection.

2. Cross-site Scripting (XSS)

XSS enables users to insert malicious JavaScript code into a website. An attacker can utilise
many kinds of techniques, including pages that display user inputs, to carry out an XSS
attack.

For instance, on a website that lets users to reply to posts, the attacker might upload
malicious code utilising the reply option. Every time a regular user loads the page containing
the reply, the malicious code is then run.

One efficient way to stop XSS attacks is by validating and sanitizing user inputs.

3. Command Injection

In a command injection attack, malicious code is uploaded into the server by the attacker.
This code is then executed by the server or back end in the same way as regular application
code, giving the attacker access to data and other resources.

This type of attack can be done via user input. The attacker may inject code via a URL query
parameter. Avoiding the use of functions that execute commands in our code is a smart
practise for preventing command injection. Sanitization of user input can additionally lower
danger.

4. Cross-Site Request Forgery (CSRF)

XSS enables users to insert malicious JavaScript code into a website. The attacker can
perform the attack using various ways, including pages that display user inputs. For example,
the attacker may submit malicious code using the reply feature on a website that allows
users to reply to posts. After that, whenever a regular user accesses the page containing the
response, the malicious code will run.

Validating and sanitizing user inputs is one useful technique for preventing XSS attacks.
5. HTTP Strict Transport Security Header

Browsers can limit access to a site to just HTTPS requests by using the HTTP strict transport
security header. When using the insecure HTTP protocol, data transmission can be exposed.
Enable HTTPS on web apps to protect against tight transport security header-related
vulnerabilities.

Kotlin’s Features That Increase Security

Kotlin includes several security features and is very similar to other programming languages.

1. Immutability (Static Available)

Kotlin is different from Java in that it provides keywords for mutable and immutable variable
declaration. These keywords are ‘val’ and ‘var’. Variables defined with ‘val’ are immutable,
hence you cannot assign a new value to them.

2. Null safety

Null safety has been highlighted as one of Kotlin's advantages. For example, if an operation
expects an integer but returns null value, the system will return error. It does this by issuing a
'NullPointerException' when the program tries to use an object reference with a null value.

Kotlin Security Best Practices

1. Validate user input before parsing or outputting them

Failure to do so may leave the application vulnerable to SQL injections and XSS attacks.

2. Avoid storing API configuration keys in code

Avoid storing API keys as strings in the application to limit reverse engineering. Instead, use
environment variables or other means to encrypt keys wherever possible.

3. Keep tools up to date

Always keep the Kotlin version that is being used up to date. Furthermore, if any additional
third-party libraries or dependencies are being used, they should up to date as well.

4. Encrypt data before sending it over the network

If the application delivers sensitive data over the network, such as messages and passwords,
use effective encryption methods to secure such data before transmitting it. This reduces the
possibility of data being intersected while in route.
Strengths:

1. Fewer crashes thanks to null safety

Kotlin provides null safety at the language API level to minimise application problems
brought on by erroneous data or user input. NullPointerException can be avoided when
Kotlin's null safety is used correctly.

2. Data encryption

Kotlin has good libraries that make it easier for developers to encrypt data. One example of
Kotlin data encryption libraries isJetpack Security.

3. Frequent updates

Security is a never-ending process. The Kotlin team is constantly finding new vulnerabilities,
and they provide patches to fix any problems that may have been discovered.

Weakness:

1. Reverse engineering

Someone with good technical knowledge could use reverse engineering on Kotlin app.
Additionally, if you include private information in your app, such as API credentials, these can
also be exposed.

2. Internet-driven APIs

For various reasons, the majority of programmes require an internet connection. A few
utilities are already included in Kotlin to power the internet-based functionality of apps.
HttpsURLConnection and WebView are two examples. Transmitting sensitive data while using
a non-SSL protocol for HTTP requests can expose it. Similar to improper usage of the
WebView API, allowing users to browse any URL through your app and allowing any
JavaScript code to run might increase security risk.
Flutter
Utilizing safety philosophy with Flutter

Flutter Security Strategy

Identify: Identify essential assets, major threats, and vulnerabilities to track and prioritise
important security concerns.

Detect: Use techniques and tools such as vulnerability scanning, static application security
testing, and fuzzing to detect and identify vulnerabilities.

Protect: Reduce risks by addressing known vulnerabilities and safeguarding vital assets
against source threats.

Respond: Establish procedures for reporting, triaging, and responding to vulnerabilities or

assaults.

Recover: Build capabilities to contain and recover from an incident with minimal impact.

Strategies for Improving Security and Preventing Reverse Engineering in Flutter Applications

Refer more (https://levelup.gitconnected.com/how-to-avoid-reverse-engineering-in-flutter-

applications-b56af2180223)

1. Code Obfuscation

Code obfuscation is a technique that makes the application’s binary difficult for humans to
understand to protect against reverse engineering. This helps to encrypt vital pieces such as
API keys, function names, classes, and other important strings. Flutter strives to decrease
risks by minimising known vulnerabilities, securing essential assets, and obscuring the code.

2. Code Splitting

Code splitting is a method of dividing the application into smaller bits and loading them on
demand. An attacker may find it more difficult to reverse-engineer the code if they must
analyse numerous files rather than simply one.

You may do code splitting in Flutter by using deferred imports. This functionality allows you
to load sections of your application as needed.

3. Use Native Code

Another method for preventing reverse engineering is to use native code written in
languages such as C, C++, or Swift. Native code is frequently more difficult to reverse-
engineer than Dart code. Flutter platform channels can be used to connect with native code,
and the most crucial and sensitive elements of the application can be written in native
languages. (can use multiple frameworks in one programming code tapi tak practical)
4. Regularly Update the Dependencies

Keeping the dependencies up to date is critical for avoiding security flaws. Update the
packages on a regular basis to receive security patches and enhancements

How to make Flutter Mobile App Secure and Reliable

More refer: (https://invotech.co/blog/secure-flutter-mobile-app/#:~:text=In%20Flutter%20app

%20development%2C%20the,to%20understand%20the%20encoded%20information.)

1. Use encryption for extended protection

The majority of data stored on the device in Flutter app development can be encrypted to
ensure its security. Encryption protects both privacy and data integrity by ensuring that only
authorised users have access to the data and that intruders cannot decipher the encoded
information.

2. Test the app for reliability so it works properly under different conditions

Even if the Dart programming language enables developers to create dependable apps,
testing for dependability shouldn't stop there. To guarantee that the new app is stable, it
must be test under many scenarios. This includes evaluating every single codebase, new
features, cross-platform screen readers, debug mode configurations and user interface
models.

This involves performance and stability testing in both real-world and virtual environments,
which will assist disclose any potential flaws or defects immediately before the app is
published to users.

3. Use proper authentication methods, such as passwords and tokens

In terms of security, Flutter applications may require some level of authentication. Passwords
and tokens are two of the most common ways used by developers to keep user data safe.

Among app features, authentication should be prioritized because it can make or break the
Flutter apps. Use secure app authentication protocols like as OAuth2 or OpenID Connect,
which allow users to sign in using their existing Google or Facebook identities.

Two-factor authentication (2FA) is standard in the development environment so can use it for
the Flutter app as well. This allows users to add an extra degree of security to their account
before accessing the app's capabilities.

4. Monitor app performance on a daily basis

Because the Flutter architecture is designed for performance, it is only reasonable for you to
double-check that your app works as expected.
 Setting up performance monitoring tools that can detect any faults or slowdowns during
usage is a wonderful method to deal with this. This will have to discover any issue areas
quickly and efficiently.

5. Provide secure network connection

Securing mobile applications is essential these days, and having a secure network connection
between an app and its server is a must. Transport Secure Layer (TSL) encryption is key to
protecting information in transit, and whitelisting the domain can restrict traffic that is not
secure.

Certificate pinning should be used as an additional layer of protection to prevent cyber

thieves from accessing data by using illicit certificates to tamper with data. Each of these
measures can help to secure the security of the app and its stored data, so make sure to
follow them exactly.