flutter-security

Name: flutter-security
Author: HoangNguyen0403/agent-skills-standard

$npx mdskill add HoangNguyen0403/agent-skills-standard/flutter-security

1. **Store secrets securely** — Use `flutter_secure_storage` for tokens/PII. Never use `shared_preferences` for sensitive data. 2. **Externalize secrets** — Never store API keys in Dart code. Use `--dart-define` or `.env` files. 3. **Obfuscate releases** — Build `--obfuscate --split-debug-info=./symbols`. Deterrent only — move sensitive logic to backend. 4. **Pin certificates** — `dio_certificate_pinning` for high-security apps to prevent MITM. 5. **Root detection** — `flutter_jailbreak_detection` for root/jailbreak checks in financial/sensitive apps. 6. **Mask PII** — Redact PII (email, phone) from all logs and analytics.

SKILL.md

.github/skills/flutter-securityView on GitHub ↗

---
name: flutter-security
description: Enforce OWASP Mobile security standards for Flutter apps. Use when storing sensitive data, making network calls, handling tokens/PII, or preparing release builds.
metadata:
  triggers:
    files:
    - 'lib/infrastructure/**'
    - 'pubspec.yaml'
    keywords:
    - secure_storage
    - obfuscate
    - jailbreak
    - pinning
    - PII
    - OWASP
---

# Mobile Security

## **Priority: P0 (CRITICAL)**

## Implementation Workflow

1. **Store secrets securely** — Use `flutter_secure_storage` for tokens/PII. Never use `shared_preferences` for sensitive data.
2. **Externalize secrets** — Never store API keys in Dart code. Use `--dart-define` or `.env` files.
3. **Obfuscate releases** — Build `--obfuscate --split-debug-info=./symbols`. Deterrent only — move sensitive logic to backend.
4. **Pin certificates** — `dio_certificate_pinning` for high-security apps to prevent MITM.
5. **Root detection** — `flutter_jailbreak_detection` for root/jailbreak checks in financial/sensitive apps.
6. **Mask PII** — Redact PII (email, phone) from all logs and analytics.

### Secure Storage & Release Build Examples

See [implementation examples](references/implementation.md) for secure storage usage and obfuscated release build commands.

## Reference & Examples

SSL Pinning & Secure Storage: [references/REFERENCE.md](references/REFERENCE.md).

## Anti-Patterns

- **No Secrets in SharedPreferences**: Use `flutter_secure_storage` for tokens and PII
- **No Hardcoded API Keys**: Use `--dart-define` or secure vaults for all secrets
- **No Unobfuscated Releases**: Always build with `--obfuscate --split-debug-info`
- **No PII in Logs**: Mask or omit sensitive data from all logs and analytics events

## Related Topics

common/security-standards | layer-based-clean-architecture | performance

More from HoangNguyen0403/agent-skills-standard

Skill	Description
android-agp-upgrade	Upgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architecture	Apply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-work	Implement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-compose	Build high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migration	Migrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrency	Write correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deployment	Configure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-system	Enforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-di	Configure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edge	Migrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.