Should we obfuscate the Dart code in Flutter apps?

The question is related to this one: How to check obfuscation results of flutter app? But the answer there is unclear.

Is it possible for hackers to see the dart code in flutter apps? Or is it compiled in a way that is difficult to understand and track?

After unzipping the apk that resulted from flutter build apk - the only file I found related to my own Dart code was "libflutter.so". Looking at the functions in it by nm -D libflutter.so didn't show anything resembling my code, so it seems pretty safe. But - I would like someone who actually knows to confirm, perhaps I missed something.

What is the best practice used to publish flutter apps?

UPDATE AS OF 12th October 2018: I tried obfuscating as mentioned here: https://github.com/flutter/flutter/wiki/Obfuscating-Dart-Code Which resulted in a broken app (crashed on startup). So - it seems - there's no real option to obfuscate at this time anyhow.

1 answer

  • answered 2018-10-11 22:19 Stephen

    In debug mode flutter apps are jitted from source. This requires the source be distributed with the app. However you shouldn't be distributing a debug build, so let's not worry about that possibility.

    In release mode your source is AoT compiled, so there is no actual copy of your source, but if someone wanted to recreate it, they could potentially (easily?) reverse engineer it from assembly.

    If you want to obfuscate your compiled code, your best bet is probably to follow the advice given here: https://github.com/flutter/flutter/wiki/Obfuscating-Dart-Code

    I don't claim to be an expert on this so please do your own research, but hopefully this points you in the right direction.

    Further reading about the build process: https://proandroiddev.com/flutters-compilation-patterns-24e139d14177