DEV Community

SchmiemanDev
SchmiemanDev

Posted on

Stop failing App Store reviews: Meet Flutter Permission Scanner

#flutter #dart #devops #security

If you’ve ever built a Flutter app, you know the drill. You need a feature, you head to pub.dev, you run flutter pub add, and you move on with your life. We love the Dart ecosystem because it abstracts away the native code.

But there is a massive blind spot here: what native permissions did that package just sneak into your AndroidManifest.xml or Info.plist?

In my last article about building the Damn Vulnerable Flutter App (DVFA), I mentioned how insanely easy it is to misconfigure native manifests when you spend 99% of your time writing Dart. If a random analytics package secretly drags in ACCESS_FINE_LOCATION or RECORD_AUDIO, two things happen:

  1. Apple and Google will reject your app during review for missing privacy descriptions.
  2. Your users will get a creepy system popup asking to track them, and they will immediately uninstall your app.

I wanted a quick way to audit exactly what my dependencies were asking for without manually digging through the .dart_tool cache. It didn't exist.

So, I built it.

Meet Flutter Permission Scanner.

It is a completely open-source Dart CLI tool that scans your host app and all your dependencies to generate a clean, consolidated report of every native permission your app is requesting across Android, iOS, and macOS.

What it does:

  • Dependency Discovery: It automatically resolves your local and cached packages and scans their native source files (AndroidManifest.xml, Info.plist, .podspec).
  • Sensitive Highlighting: It automatically flags "Dangerous" permissions (like Camera, Microphone, and Location) so you know exactly which packages are going to trigger user consent popups.
  • CI/CD Ready: Are you a DevSecOps fan? You can run it with the --json or --markdown flags. I built this specifically so you can plug it into a GitHub Action and automatically post a Markdown table of permission changes directly to your Pull Requests.
  • Cross-Platform: It handles Android, iOS, and macOS permission keys right out of the box.

Try it out

Because it's a pure Dart CLI, you don't need to install anything crazy to get started. Just activate it globally:

dart pub global activate flutter_permission_scanner
Enter fullscreen mode Exit fullscreen mode

Then, navigate to the root of any Flutter project and run:

flutter_permission_scanner
Enter fullscreen mode Exit fullscreen mode

You can check out the source code, read the CI/CD documentation, or report bugs over on the GitHub repository:

👉 flutter_permission_scanner on GitHub

👉 View on pub.dev

Drop a ⭐️ on GitHub if you find it useful! Also, let me know in the comments: have you ever had an app rejected by Apple or Google because of a permission hiding inside a 3rd-party package?

Top comments (0)