Flutter's wiki mentions obfuscation is an opt-in in release mode.
And yet, the flutter build command has no relevant option - see:flutter help -v build apk
Am I missing something here?
Did they make obfuscation the default?
Is obfuscation even relevant for flutter?
Any pointers on this would be very appreciated.
There is a simple procedure for obfuscation of the flutter app, you only need to run the build command for the release version using the --obfuscate flag combined with the --split-debug-info flag. Once you've obfuscated your binary, save the symbols file. You need this if you later want to de-obfuscate a stack trace.
Obfuscation is not supported for web apps, but a web app can be minified, which is similar. When you build a release version of a Flutter web app, it is automatically minified. For more information, see Build and release a web app. Flutter's code obfuscation, when supported, works only on a release build.
Thankfully Flutter makes it very easy to obfuscate applications. To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag. Obfuscation is currently supported for release builds on Android, iOS, and MacOS.
We also demonstrated that with only several lines of code, this information could be used to considerably speed up the reverse engineering of a Flutter application. We showed that as Dart and Flutter further mature so will the reverse engineering tooling and any current perceived difficulties will mostly be removed.
Obfuscation is needed - a flutter app knows its function names, which can be shown using Dart's StackTrace class. There's under-tested support for obfuscation. To enable it:
For Android:
Add to the file [ProjectRoot]/android/gradle.properties
:
extra-gen-snapshot-options=--obfuscate
For iOS:
First, edit [FlutterRoot]/packages/flutter_tools/bin/xcode_backend.sh
:
Locate the build aot
call, and add a flag to it,
${extra_gen_snapshot_options_or_none}
defined as:
local extra_gen_snapshot_options_or_none="" if [[ -n "$EXTRA_GEN_SNAPSHOT_OPTIONS" ]]; then extra_gen_snapshot_options_or_none="--extra-gen-snapshot-options=$EXTRA_GEN_SNAPSHOT_OPTIONS" fi
To apply your changes, in [FlutterRoot], run
git commit -am "Enable obfuscation on iOS" flutter
(Running "flutter" after the commit rebuilds flutter tools.)
Next, in your project, add following to [ProjectRoot]/ios/Flutter/Release.xcconfig
file:
EXTRA_GEN_SNAPSHOT_OPTIONS=--obfuscate
PS: Haven't tried the --save-obfuscation-map flag mentioned at https://github.com/dart-lang/sdk/issues/30524
Again, obfuscation isn't very well tested, as mentioned by @mraleph.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With