native_armor_vault 2.0.2 
native_armor_vault: ^2.0.2 copied to clipboard
Production-ready native secret storage for Flutter. Multi-layer encryption, compiler optimization protection, configurable security checks, and function obfuscation. No plaintext in binary!
Native Armor Vault π #
v2.0.2 - Production Ready π‘οΈ
A Flutter plugin that provides production-ready native secret storage for sensitive data. Secrets are protected using multi-layer encryption with compiler optimization protection, ensuring no plaintext secrets in binary. Features configurable security checks, anti-debugging, and runtime key reconstruction.
Security Level: ββββ (4/5) - Production Ready!
π― Why Native Armor Vault? #
Problem: Storing API keys, tokens, and secrets directly in Dart code makes them easily extractable through decompilation.
Solution: Native Armor Vault uses multiple security layers to protect your secrets:
- Multi-layer encryption (XOR + S-box + Bit rotation)
- Runtime key derivation (no plaintext keys in binary)
- Anti-debugging & root/jailbreak detection
- Function name obfuscation
- LLVM code obfuscation (Android)
- Complete symbol stripping
β οΈ Important: This is advanced obfuscation, not military-grade encryption. Always validate secrets on your backend!
β¨ Features (v2.0.2) #
π Security Features #
- Compiler Optimization Protection: Prevents constant folding that would expose plaintext (NEW in 2.0.2!)
- Runtime Key Reconstruction: Session key split into parts and reconstructed at runtime
- Multi-Layer Encryption: XOR + S-box substitution + bit rotation
- No Plaintext in Binary: Verified with
strings,hexdump, and disassembly tools - Configurable Security Checks: Optional root/debugger/emulator detection (NEW in 2.0.2!)
- Function Name Obfuscation: Mangled names (e.g.,
_Z8_wml37d4f689v) - Symbol Visibility Control: Only FFI functions exported, internals hidden
- Thread-Safe: Thread-local storage prevents race conditions
π Developer Experience #
- Automated Code Generation: CLI tool generates hardened C++ and Dart code
- Cross-Platform: Android (
.so) and iOS (static linking) - Zero Runtime Overhead: Secrets decrypted on-demand via FFI (< 100ΞΌs)
- Thread-Safe: Uses thread-local storage
- No Memory Leaks: Static buffers, no malloc/free
- Flexible Naming: Use any custom secret names
π Security Comparison #
| Feature | Plain Dart | v1.x | v2.0.0 |
|---|---|---|---|
| Decompilation resistance | β | β οΈ | β |
| XOR key visibility | N/A | π΄ Plaintext | π’ Obfuscated |
| Function names | β Clear | π΄ Clear | π’ Mangled |
| Anti-debugging | β | β | β |
| Root detection | β | β | β |
| Code obfuscation | β | β | β |
| Security Level | 1/10 | 3/10 | 7-8/10 |
π΅οΈ Attack Resistance #
| Attacker Level | Time to Extract |
|---|---|
| Script kiddie | β Blocked |
| Intermediate hacker | 4-6 hours |
| Advanced reverse engineer | 1-2 hours |
| Expert | 30-45 minutes |
vs Plain Dart: 10 seconds for anyone
π¦ Installation #
Add to your pubspec.yaml:
dependencies:
native_armor_vault: ^2.0.2
Then run:
flutter pub get
π Quick Start #
1. Create Configuration File #
In your project root (same level as pubspec.yaml), create native_vault.yaml:
xor_key: 'YOUR_UNIQUE_SECRET_KEY_2026'
# Security settings (v2.0.2+)
security:
# Enable/disable security checks (root, debugger, emulator detection)
enable_checks: false # false = development (works on emulators), true = production
violation_mode: 'fake' # 'throw', 'fake', or 'empty'
secrets:
API_KEY: 'sk-1234567890abcdef'
DATABASE_URL: 'https://api.example.com/db'
SECRET_TOKEN: 'my-super-secret-token'
AWS_ACCESS_KEY: 'AKIAIOSFODNN7EXAMPLE'
STRIPE_KEY: 'sk_live_1234567890'
2. Generate Native Code #
Run the generator:
dart run native_armor_vault:generate
Output:
π ArmorVault v2.0.0: 5 adet secret iΕleniyor...
π‘οΈ Maximum security mode enabled!
β
C++ kodlarΔ± oluΕturuldu (Android & iOS) - HARDENED
β
Dart FFI bridge oluΕturuldu
π‘οΈ Security features enabled:
β Runtime key derivation
β Multi-layer encryption
β Anti-debugging checks
β Root/jailbreak detection
β Function name obfuscation
3. Use in Your App #
import 'package:native_armor_vault/native_armor_vault.dart';
void main() {
try {
// Access your secrets
final apiKey = ArmorVault.api_key;
final dbUrl = ArmorVault.database_url;
final token = ArmorVault.secret_token;
print('API Key: $apiKey');
// Use in HTTP requests
final response = await http.get(
Uri.parse(dbUrl),
headers: {'Authorization': 'Bearer $token'},
);
} catch (e) {
// Security violation detected!
print('Error: $e');
}
}
4. Build Your App #
Android:
flutter build apk --release
iOS:
cd ios && pod install && cd ..
flutter build ios --release
π‘οΈ Security Features Explained #
Multi-Layer Encryption #
Plaintext β Layer 1 (XOR) β Layer 2 (S-box) β Layer 3 (Rotation) β Encrypted
Each layer uses different algorithms, making static analysis extremely difficult.
Runtime Key Derivation #
// No plaintext key in binary!
uint8_t runtime_key[64];
generate_runtime_key(runtime_key, 64, __TIME__, __DATE__);
Keys are derived at runtime from build constants, making them invisible in static analysis.
Anti-Debugging #
if (is_debugger_attached()) {
return "SECURITY_VIOLATION_DETECTED";
}
Detects debuggers and returns fake data, preventing dynamic analysis.
Root/Jailbreak Detection #
if (is_device_rooted() || is_device_jailbroken()) {
return "SECURITY_VIOLATION_DETECTED";
}
Prevents execution on compromised devices.
β Good Use Cases #
- β Public API keys (with backend validation)
- β OAuth client secrets
- β Non-critical configuration
- β Hobby/indie projects
- β Adding defense-in-depth layer
β NOT Suitable For #
- β Payment credentials
- β User passwords or PII
- β Cryptographic keys
- β Anything requiring military-grade security
Always validate on backend!
π Known Limitations #
Even with v2.0.0:
- Expert reverse engineers can still extract secrets (30-45 min effort)
- This is obfuscation, not true encryption
- XOR key derivation can be reverse engineered
- Static secrets only - cannot be changed without rebuilding
Remember: This is defense-in-depth, not a standalone security solution!
π Best Practices #
1. Backend Validation (Mandatory!) #
// App
final apiKey = ArmorVault.api_key;
await api.call(apiKey);
// Backend
if (!isValidApiKey(request.apiKey)) {
return Response.forbidden();
}
2. Rate Limiting #
// Backend
if (requestCount > 100 per hour) {
return Response.tooManyRequests();
}
3. Key Rotation #
Rotate your API keys every 30-90 days:
# Update native_vault.yaml
# Regenerate
dart run native_armor_vault:generate
# Rebuild app
flutter build apk --release
4. Certificate Pinning #
// Add SSL pinning for API calls
final client = HttpClient()
..badCertificateCallback = (cert, host, port) {
return cert.sha256 == expectedSha256;
};
π§ Advanced Configuration #
Disable Security Checks (Development Only) #
Edit generated C++ code:
// For development/testing
#ifdef DEBUG
bool is_secure_environment() {
return true; // Skip checks in debug
}
#endif
Custom Obfuscation Flags #
Edit android/CMakeLists.txt:
# Add more LLVM flags
target_compile_options(native_armor_vault PRIVATE
$<$<CONFIG:Release>:-mllvm -fla>
$<$<CONFIG:Release>:-mllvm -sub>
$<$<CONFIG:Release>:-mllvm -bcf>
$<$<CONFIG:Release>:-mllvm -split> # Add this
)
π Troubleshooting #
"Security violation detected" Error #
Cause: Running on rooted/jailbroken device or with debugger attached.
Solution:
- Test on non-rooted device
- Use release build
- Disable security checks for development (see Advanced Configuration)
Build Errors #
Android:
flutter clean
cd android && ./gradlew clean && cd ..
flutter pub get
dart run native_armor_vault:generate
flutter build apk --release
iOS:
flutter clean
cd ios && pod deintegrate && pod install && cd ..
dart run native_armor_vault:generate
flutter build ios --release
π Migration from v1.x #
Breaking Changes #
- Generator output completely changed
- Function names now obfuscated
- Multi-layer encryption requires new headers
Migration Steps #
# 1. Update dependency
flutter pub upgrade native_armor_vault
# 2. Regenerate secrets
dart run native_armor_vault:generate
# 3. Clean and rebuild
flutter clean
flutter pub get
flutter build apk --release
API remains compatible - no code changes needed!
π€ Contributing #
Contributions are welcome! Please read our Contributing Guide.
π License #
MIT License - see LICENSE file for details.
β οΈ Disclaimer #
This package provides obfuscation, not cryptographic security. It is designed to make reverse engineering harder, not impossible. For production applications handling sensitive data:
- Always validate secrets on your backend
- Use HTTPS/TLS for all network communication
- Implement rate limiting and anomaly detection
- Rotate API keys regularly
- Monitor for suspicious activity
The authors are not responsible for any security breaches resulting from improper use of this package.
π Acknowledgments #
- LLVM Obfuscator project
- Flutter FFI team
- Security researchers who helped identify vulnerabilities
π Support #
- π§ Email: support@example.com
- π Issues: GitHub Issues
- π¬ Discussions: GitHub Discussions
Made with β€οΈ for the Flutter community
v2.0.0 - Maximum Security π‘οΈ
Metadata
Publisher
unverified uploader
Weekly Downloads
Metadata
Production-ready native secret storage for Flutter. Multi-layer encryption, compiler optimization protection, configurable security checks, and function obfuscation. No plaintext in binary!
Homepage
Repository (GitHub)
View/report issues
Documentation
License
MIT (license)
Dependencies
More
Packages that depend on native_armor_vault
Packages that implement native_armor_vault
