Flutter Dev + AppSec Engineer Confessions: How I Built a Privacy-Obsessed KRA PIN Checker That Even My Paranoid Security Friends Approve Of π‘οΈπ°πͺ
Hey devs, DevSecOps ninjas, and fellow security weirdos! π
Iβm a part-time Flutter dev by night and a full-time Application Security Engineer by day. That means I spend 9-5 hunting bugs in other peopleβs codeβ¦ and then come home to make sure I donβt become the bug myself. π
Let me tell you about PinSight(checKRA) β the app I built from absolute scratch that lets Kenyans verify any taxpayer PIN by kenyan IDs instantly using M-Pesa tokens.
No login. No data stored. No βfree tierβ nonsense. Just pure, privacy-first magic.
And yes β ONE codebase, ALL platforms:
β
Android
β
iOS
β
macOS
β
Windows
β
Linux
Because why write the same secure app five times?
Hereβs the story from both sides of my brain:
1. The Developer Side (Flutter Joy π¨)
- Entire UI in Flutter β single codebase, zero platform-specific nightmares
- Kenyan-themed design with slide + fade animations (
animated_widgets) - Single screen flow: dropdown β ID β βCheck PINβ β result card in flag colors π°πͺ
- Token balance in app bar, auto-triggers Buy Tokens dialog when zero (feels like magic)
-
flutter_dotenvso I never commit secrets (lesson learned the hard way)
2. The Security Engineer Side (Paranoia = Default Setting π)
Most apps treat privacy like a suggestion. Mine treats it like oxygen.
What I deliberately DIDNβT do:
- β No Firebase Auth
- β No Google/Sign-in-with-anything
- β No SharedPreferences / Keychain abuse
- β No logging of IDs, names, or phone numbers
- β No analytics with PII (Firebase Analytics events only, anonymized)
What I DID do (AppSec flex):
- Every query is ephemeral β deleted instantly after response
- Tokens stored on private Node.js backend (MongoDB Atlas) behind HTTPS
- Tokens auto-delete when count = 0 (no zombie data)
- M-Pesa callback IP-whitelisted to Safaricom only
- Always ACK
ResultCode: 0to M-Pesa (no infinite retries) - Signed releases with upload keystores (Android) & Apple Developer certs (iOS/macOS)
- Secrets in
.envβ never committed - Custom regex validation per taxpayer type
3. The DevSecOps Side (Shift-Left or GTFO)
- Backend on Render with auto-TLS
-
/healthendpoint for uptime monitors - MongoDB Atlas IP access list
- Full CI/CD ready (GitHub Actions workflows in repo)
- Tested every flow in Daraja sandbox
- Repo structured so contributors canβt leak secrets
Payment Methods (Kenya + Global)
- π°πͺ M-Pesa STK Push & Buy Goods (instant)
- π PayPal coming next week! (for diaspora & international users)
Pricing? Brutally honest:
1 token = 1 verification. Buy exactly what you need.
KES 50 β 1 token
KES 100 β 2 tokens
KES 300 β 6 tokens
KES 600 β 14 tokens (best value)
Pay via M-Pesa β approve β paste SMS code β done.
PayPal flow drops soon β same token system, global reach.
Tech Stack
Frontend: Flutter (Dart) β truly cross-platform
Backend: Node.js + Express + MongoDB Atlas
Payments: Safaricom Daraja API + PayPal (incoming)
Hosting: Render (paid HTTPS)
Analytics: Firebase (events only)
Download Links
- Android: Play Store (live!)
- iOS: App Store (review passed, live in 24h)
- macOS / Windows / Linux: Direct download from GitHub Releases
- APK / IPA / DMG / EXE / AppImage on request β DM βAppSec approvedβ π
GitHub β All Assets for early access of the app
π assets + desktop builds:
https://github.com/HovSaintBrandon/checKRA-supaApp-release
Star it if you hate data leaks. Fork it if you want to help add PayPal! π
Support: hovsaintbrandon@gmail.com
If youβre a dev who actually cares about security, a DevSecOps warrior tired of fixing messes, or just a Kenyan (or friend of Kenya) sick of shady βfreeβ PIN checkers that sell your dataβ¦
β¦try it. I built it the way I wish EVERY app was built.
Letβs make privacy the default β on every platform. π°πͺππ
P.S. Yes, I pentest my own app in my free time. Yes, Iβm that guy. π
Top comments (0)