Back to Details

flutter-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security & Data Integrity (Architect Level)

安全与数据完整性(架构师级别)

  • AES-256-GCM: Use Authenticated Encryption for all sensitive storage.
  • Secret Storage: Mandatory use of 
    flutter_secure_storage
    for encryption keys and master-derived keys.
  • Key Derivation: Mandate NIST-approved hashing (Argon2id) for master password derivation before local storage encryption and export.
  • Memory Safety: Strictly clear sensitive variables (passwords, keys) from memory when the operation finishes or the app enters the background.
  • Clipboard Safety: Mandate programmatic clearing of sensitive data (OTPs, Passwords) after a short duration (30-60s).
  • Biometric Gate: Mandatory local authentication for any view, export, or destructive action.
  • Audit Log: All security-sensitive actions should be logged via 
    AppLogger
    (excluding raw secrets).
  • AES-256-GCM:所有敏感存储都采用认证加密方式。
  • 密钥存储:加密密钥和主派生密钥必须使用
    flutter_secure_storage
    进行存储。
  • 密钥派生:在本地存储加密和导出前,主密码派生必须采用NIST批准的哈希算法(Argon2id)。
  • 内存安全:当操作完成或应用进入后台时,必须彻底清除内存中的敏感变量(密码、密钥)。
  • 剪贴板安全:要求敏感数据(OTP、密码)在短时间(30-60秒)后通过程序自动清除。
  • 生物识别门禁:任何查看、导出或破坏性操作都必须经过本地身份认证。
  • 审计日志:所有安全敏感操作都应通过
    AppLogger
    记录(原始密钥除外)。

Input & API Security

输入与API安全

  • Input Validation: Validate and sanitize all user-facing input fields before processing or storage.
  • HTTPS Only: All API communication MUST use HTTPS. Consider certificate pinning for sensitive applications.
  • Token Storage: STRICTLY prohibit storing tokens, API keys, or credentials in source code or public repositories. Use 
    flutter_secure_storage
    or environment-based injection.
  • 输入校验:在处理或存储所有面向用户的输入字段前,必须进行校验和清理。
  • 仅HTTPS:所有API通信必须使用HTTPS。敏感应用可考虑证书锁定。
  • 令牌存储:严格禁止将令牌、API密钥或凭证存储在源代码或公共仓库中。请使用
    flutter_secure_storage
    或基于环境变量的注入方式。