DEV Community: SchmiemanDev

Stop failing App Store reviews: Meet Flutter Permission Scanner

SchmiemanDev — Sun, 29 Mar 2026 11:14:48 +0000

If you’ve ever built a Flutter app, you know the drill. You need a feature, you head to pub.dev, you run flutter pub add, and you move on with your life. We love the Dart ecosystem because it abstracts away the native code.

But there is a massive blind spot here: what native permissions did that package just sneak into your AndroidManifest.xml or Info.plist?

In my last article about building the Damn Vulnerable Flutter App (DVFA), I mentioned how insanely easy it is to misconfigure native manifests when you spend 99% of your time writing Dart. If a random analytics package secretly drags in ACCESS_FINE_LOCATION or RECORD_AUDIO, two things happen:

Apple and Google will reject your app during review for missing privacy descriptions.
Your users will get a creepy system popup asking to track them, and they will immediately uninstall your app.

I wanted a quick way to audit exactly what my dependencies were asking for without manually digging through the .dart_tool cache. It didn't exist.

So, I built it.

Meet Flutter Permission Scanner.

It is a completely open-source Dart CLI tool that scans your host app and all your dependencies to generate a clean, consolidated report of every native permission your app is requesting across Android, iOS, and macOS.

What it does:

Dependency Discovery: It automatically resolves your local and cached packages and scans their native source files (AndroidManifest.xml, Info.plist, .podspec).
Sensitive Highlighting: It automatically flags "Dangerous" permissions (like Camera, Microphone, and Location) so you know exactly which packages are going to trigger user consent popups.
CI/CD Ready: Are you a DevSecOps fan? You can run it with the --json or --markdown flags. I built this specifically so you can plug it into a GitHub Action and automatically post a Markdown table of permission changes directly to your Pull Requests.
Cross-Platform: It handles Android, iOS, and macOS permission keys right out of the box.

Try it out

Because it's a pure Dart CLI, you don't need to install anything crazy to get started. Just activate it globally:

dart pub global activate flutter_permission_scanner

Then, navigate to the root of any Flutter project and run:

flutter_permission_scanner

You can check out the source code, read the CI/CD documentation, or report bugs over on the GitHub repository:

👉 flutter_permission_scanner on GitHub

👉 View on pub.dev

Drop a ⭐️ on GitHub if you find it useful! Also, let me know in the comments: have you ever had an app rejected by Apple or Google because of a permission hiding inside a 3rd-party package?

The Open-Source Security Guide for Flutter Developers

SchmiemanDev — Fri, 27 Mar 2026 19:39:43 +0000

We spend a lot of time in the Flutter community arguing about state management and app architecture. But when I recently went looking for a centralized list of mobile AppSec tools specifically for Flutter, I hit a wall.

There wasn't a dedicated "Awesome" repository for Flutter security. The resources for both defending and reverse-engineering compiled Dart apps were completely scattered.

So, instead of hoarding my personal bookmarks, I made the repo myself.

Meet Awesome Flutter Security.

It’s a curated, open-source list of Flutter application security resources, defensive tools, and vulnerable sandboxes. Whether you are a developer trying to lock down your app or a pentester trying to break one, I wanted everything in one place.

What's inside:

Defensive Tools: RASP (Runtime Application Self-Protection), obfuscation guides, and the right ways to handle secure storage and biometrics.
Offensive Tools: Frameworks like reFlutter and blutter for intercepting traffic, bypassing SSL pinning, and reverse-engineering AOT binaries.
Practice Sandboxes: Intentionally vulnerable apps (like DVFA) mapped to the OWASP Mobile Top 10 so you can practice your hacking skills.
Standards: The must-read guidelines from OWASP and the official Flutter team.

Let's build this together

The goal is to make this the standard AppSec reference for the Flutter ecosystem. If you know of a tool, a great article, or a package that belongs on this list, PRs are highly welcome!

Check out the repository here: Awesome Flutter Security

Drop a ⭐️ if you find it useful, and let me know in the comments: what is your go-to package for securing your Flutter apps? Did I miss any hidden gems?

I Built a "Damn Vulnerable" Flutter App to Teach Mobile AppSec (and how to hack it)

SchmiemanDev — Thu, 26 Mar 2026 09:56:06 +0000

If you hang out in Flutter communities, you know we spend a lot of time arguing about state management. Bloc, Riverpod, Provider—pick your poison. But there's one topic we almost never talk about: what actually happens when a bad actor gets their hands on our compiled libapp.so?

I recently wanted to dive deep into mobile AppSec. The problem? Almost all the hands-on resources out there focus heavily on native Android (Java/Kotlin) or iOS (Swift). I wanted to see exactly how the OWASP Mobile Top 10 translates to the Flutter ecosystem, but I couldn't find a good playground to test things out.

So, I decided to build one myself. And I made it intentionally terrible. 😅

Meet the Damn Vulnerable Flutter App (DVFA).

It’s a FinTech-themed Flutter application purposely riddled with security flaws. I mapped the vulnerabilities directly to the OWASP Mobile Application Security Verification Standard (MASVS) so developers and security researchers can practice static analysis, intercept traffic, and reverse-engineer AOT binaries without setting up a massive environment from scratch.

Some of my favorite ways to break this app:

AOT Reverse Engineering: (Challenge 7). The app exports an encrypted bank statement using the encrypt package (AES-CBC), but the AES key is statically managed in the Dart code. Your job? Extract the libapp.so binary, run it through tools like blutter, and recover the hardcoded key.
Deep Link Hijacking: (Challenge 5). I registered a custom dvfa://app scheme in the Android manifest. If you craft a malicious deep link, you can force the app to bypass user confirmation and automatically execute a fund transfer.
The "Oops" Data Leak: (Challenge 10). There is no explicitly vulnerable "bad code" here. Instead, I intentionally didn't implement a WidgetsBindingObserver. Because the app doesn't detect when it goes to the background, the OS takes a clear screenshot of the financial dashboard for the App Switcher, leaking sensitive data.

I also threw in a Dockerized mock backend (built with Flask) so you can practice intercepting unencrypted HTTP traffic.

Try it out

If you want to test your AppSec skills, you can grab the compiled APK from the Releases tab for a blind black-box test, or clone the repo to read the source code:

👉 https://github.com/Schmiemandev/dvfa

What's next?

Building DVFA made me realize how insanely easy it is to misconfigure native manifests when you spend 99% of your time writing Dart. I'm currently hacking on a CLI tool that automatically scans Flutter CI/CD pipelines for these exact misconfigurations before the app gets compiled. I'll be open-sourcing that soon!

P.S. This is my very first article on DEV! Let me know what you think of DVFA, and if anyone actually manages to beat Challenge 7, drop a comment below, I'd love to see how you approached it!