Client-side security is often misunderstood in mobile development. Many Flutter applications rely on obfuscation, hidden APIs, or assumed trust in the client—only to discover in production that these measures offer limited protection against real-world threats.

This session explores what security actually means in Flutter applications and where the true trust boundaries lie. Rather than focusing on theoretical vulnerabilities, the talk examines realistic attack surfaces such as reverse engineering, insecure local storage, intercepted network traffic, and overly trusted client logic.

Through practical examples and architectural analysis, attendees will learn how to design Flutter apps with a security-first mindset—acknowledging what cannot be secured on the client, strengthening data flows, and making informed decisions about responsibility between client and backend systems. The goal is not perfect security, but a resilient design that reduces risk and limits blast radius when assumptions fail.

What the Audience Will Learn

1. Why obfuscation alone provides limited real-world security
2. Common client-side attack surfaces in Flutter applications
3. How to define and enforce clear trust boundaries between app and backend
4. Practical strategies to reduce risk without over-engineering

Key Topics Covered

1. Reverse engineering realities for mobile apps
2. Client-side data storage risks and mitigation strategies
3. Secure communication and data flow design
4. Trust boundaries and responsibility separation
5. Threat modelling for Flutter applications
6. Designing for damage control, not absolute prevention