Flutter Dev + AppSec Engineer Confessions: How I Built a Privacy-Obsessed KRA PIN Checker That Even My Paranoid Security Friends Approve Of ๐ก๏ธ๐ฐ๐ช
Hey devs, DevSecOps ninjas, and fellow security weirdos! ๐
Iโm a part-time Flutter dev by night and a full-time Application Security Engineer by day. That means I spend 9-5 hunting bugs in other peopleโs codeโฆ and then come home to make sure I donโt become the bug myself. ๐
Let me tell you about PinSight(checKRA) โ the app I built from absolute scratch that lets Kenyans verify any taxpayer PIN by kenyan IDs instantly using M-Pesa tokens.
No login. No data stored. No โfree tierโ nonsense. Just pure, privacy-first magic.
And yes โ ONE codebase, ALL platforms:
โ
Android
โ
iOS
โ
macOS
โ
Windows
โ
Linux
Because why write the same secure app five times?
Hereโs the story from both sides of my brain:
1. The Developer Side (Flutter Joy ๐จ)
- Entire UI in Flutter โ single codebase, zero platform-specific nightmares
- Kenyan-themed design with slide + fade animations (
animated_widgets) - Single screen flow: dropdown โ ID โ โCheck PINโ โ result card in flag colors ๐ฐ๐ช
- Token balance in app bar, auto-triggers Buy Tokens dialog when zero (feels like magic)
-
flutter_dotenvso I never commit secrets (lesson learned the hard way)
2. The Security Engineer Side (Paranoia = Default Setting ๐)
Most apps treat privacy like a suggestion. Mine treats it like oxygen.
What I deliberately DIDNโT do:
- โ No Firebase Auth
- โ No Google/Sign-in-with-anything
- โ No SharedPreferences / Keychain abuse
- โ No logging of IDs, names, or phone numbers
- โ No analytics with PII (Firebase Analytics events only, anonymized)
What I DID do (AppSec flex):
- Every query is ephemeral โ deleted instantly after response
- Tokens stored on private Node.js backend (MongoDB Atlas) behind HTTPS
- Tokens auto-delete when count = 0 (no zombie data)
- M-Pesa callback IP-whitelisted to Safaricom only
- Always ACK
ResultCode: 0to M-Pesa (no infinite retries) - Signed releases with upload keystores (Android) & Apple Developer certs (iOS/macOS)
- Secrets in
.envโ never committed - Custom regex validation per taxpayer type
3. The DevSecOps Side (Shift-Left or GTFO)
- Backend on Render with auto-TLS
-
/healthendpoint for uptime monitors - MongoDB Atlas IP access list
- Full CI/CD ready (GitHub Actions workflows in repo)
- Tested every flow in Daraja sandbox
- Repo structured so contributors canโt leak secrets
Payment Methods (Kenya + Global)
- ๐ฐ๐ช M-Pesa STK Push & Buy Goods (instant)
- ๐ PayPal coming next week! (for diaspora & international users)
Pricing? Brutally honest:
1 token = 1 verification. Buy exactly what you need.
KES 50 โ 1 token
KES 100 โ 2 tokens
KES 300 โ 6 tokens
KES 600 โ 14 tokens (best value)
Pay via M-Pesa โ approve โ paste SMS code โ done.
PayPal flow drops soon โ same token system, global reach.
Tech Stack
Frontend: Flutter (Dart) โ truly cross-platform
Backend: Node.js + Express + MongoDB Atlas
Payments: Safaricom Daraja API + PayPal (incoming)
Hosting: Render (paid HTTPS)
Analytics: Firebase (events only)
Download Links
- Android: Play Store (live!)
- iOS: App Store (review passed, live in 24h)
- macOS / Windows / Linux: Direct download from GitHub Releases
- APK / IPA / DMG / EXE / AppImage on request โ DM โAppSec approvedโ ๐
GitHub โ All Assets for early access of the app
๐ assets + desktop builds:
https://github.com/HovSaintBrandon/checKRA-supaApp-release
Star it if you hate data leaks. Fork it if you want to help add PayPal! ๐
Support: hovsaintbrandon@gmail.com
If youโre a dev who actually cares about security, a DevSecOps warrior tired of fixing messes, or just a Kenyan (or friend of Kenya) sick of shady โfreeโ PIN checkers that sell your dataโฆ
โฆtry it. I built it the way I wish EVERY app was built.
Letโs make privacy the default โ on every platform. ๐ฐ๐ช๐๐
P.S. Yes, I pentest my own app in my free time. Yes, Iโm that guy. ๐
Top comments (0)