Flutter Data Security: Building an AES Encryption Utility from Scratch

RAYMOND ADERINTO — Fri, 08 Aug 2025 19:45:38 +0000

Introduction

I have always known security was important, but one project really hammered it home for me.
While working on a fintech app, I realised some sensitive user data wasn’t as protected as it should be. Nothing bad had happened yet — but I could see the risk, and honestly, it made my stomach drop.

When you work on sensitive apps, you’re responsible for your code. If there’s a data breach and you left something amiss — or forgot to lock the system down — you can be prosecuted. That thought keeps me up at night, knowing I could go to the office one morning and not come back home. So I became a little bit obsessed with securing my app.

I rolled up my sleeves and built a proper AES encryption system to lock everything down — from API tokens to personal details. It gave me peace of mind, and I figured… why keep this to myself? If sharing my approach helps even one other developer avoid that “oh no” moment, it’s worth it.

Data security is no longer optional — whether you’re building a fintech app, a messaging platform, or an IoT solution, protecting sensitive information is crucial. In Flutter, you can implement strong encryption with packages like encrypt to secure data both at rest and in transit.

In this article, we’ll explore:
• What encryption is and why it matters.
• How AES encryption works in Flutter.
• A real-world example with a reusable encryption utility class.

Why Encryption Matters

Encryption ensures that even if your data is intercepted or accessed by unauthorized parties, it remains unreadable without the correct key.
For example:
• User passwords
• Payment details
• API tokens
• Sensitive configuration data

Without encryption, any breach could expose raw, readable information.

AES: The Encryption Standard

Advanced Encryption Standard (AES) is a symmetric encryption algorithm, meaning the same key is used for encryption and decryption.
Key points about AES:
• Secure and widely adopted.
• Supports key sizes of 128, 192, or 256 bits.
• Often paired with modes like CBC (Cipher Block Chaining) and padding schemes like PKCS7 for compatibility.

Setting Up Flutter for Encryption

Install the encrypt package:

flutter pub add encrypt

Building a Secure Storage Utility

Below is a complete SecureStorage class that demonstrates AES encryption in Flutter.

import 'package:encrypt/encrypt.dart';
import 'dart:convert';
import 'dart:typed_data';

class SecureStorage {
  static final String _keyString = "your api key "; // 32 bytes
  static Key get _key => Key.fromUtf8(_keyString);

  static String encryptData(String plainText) {
    final iv = IV.fromSecureRandom(16); // Secure, random IV
    final encrypter = Encrypter(AES(_key, mode: AESMode.cbc, padding: "PKCS7"));
    final encrypted = encrypter.encrypt(plainText, iv: iv);

    // Combine IV + Encrypted Data
    final combined = iv.bytes + encrypted.bytes;
    return base64.encode(combined);
  }

  static String decryptData(String encryptedText) {
    try {
      final bytes = base64.decode(encryptedText);

      if (bytes.length < 32) {
        return "Decryption Failed: Not enough data";
      }

      final iv = IV(Uint8List.fromList(bytes.sublist(0, 16)));
      final encryptedData = Encrypted(Uint8List.fromList(bytes.sublist(16)));

      final encrypter = Encrypter(AES(_key, mode: AESMode.cbc, padding: "PKCS7"));
      return encrypter.decrypt(encryptedData, iv: iv);
    } catch (e) {
      return "Decryption Failed: $e";
    }
  }
}

How It Works
1. The Key

static final String _keyString = "your Api Key";

This is a 32-byte (256-bit) AES key. In production, store it securely (e.g., in in Firebase Remote Config or azure Key Vault).

2.  **Encryption Process**
• Generate a secure random IV (16 bytes for AES).
• Encrypt the data with AES-CBC and PKCS7 padding.
• Combine the IV and the encrypted data into one byte array.
• Base64 encode for safe storage or transmission.


3.  **Decryption Process**
• Base64 decode to get raw bytes.
• Extract the first 16 bytes as the IV.
• Use the remaining bytes as the encrypted payload.
• Decrypt with the same AES key.

Example Usage

void main() {
  String secret = "Sensitive user data";

  String encrypted = SecureStorage.encryptData(secret);
  print("Encrypted: $encrypted");

  String decrypted = SecureStorage.decryptData(encrypted);
  print("Decrypted: $decrypted");
}

Output:

Encrypted: kfL0L9x0M... (base64 string)
Decrypted: Sensitive user data

Security Considerations
• Key Management: Never hardcode keys in production — use secure storage, environment configs, or key management services.
• IV Randomness: Always use a new IV for each encryption to ensure security.
• Obfuscation: Use Flutter’s obfuscation and minification to make reverse-engineering harder.
• Integrity Checks: Consider adding HMAC to detect tampering.

Conclusion

By implementing AES encryption in Flutter with a well-structured utility like SecureStorage, you ensure sensitive data is protected against unauthorised access. With proper key management and secure coding practices, you can significantly improve your app’s security posture.

DEV Community: RAYMOND ADERINTO

Flutter Data Security: Building an AES Encryption Utility from Scratch