Secure Storage: Using Keychain & Keystore Safely

Introduction

Secure storage is critical in mobile development to protect tokens, credentials, and other sensitive data. Flutter provides a cross-platform solution through the flutter_secure_storage plugin, which wraps native Keychain on iOS and Keystore on Android. This tutorial covers why you need secure storage, how to integrate the plugin, platform-specific configuration, and best practices to keep data safe.

Why Use Secure Storage?

Mobile applications often handle user tokens, passwords, and private keys. Storing these in plain text or in shared preferences exposes them to extraction by attackers. Native solutions like Keychain (iOS) and Keystore (Android) store data in an encrypted database protected by the device’s hardware encryption module. FlutterSecureStorage bridges your Dart code to these secure vaults, minimizing platform-specific wiring.

Setting Up FlutterSecureStorage

Add flutter_secure_storage to pubspec.yaml:

dependencies:
  flutter_secure_storage: ^8.0.0

Import and initialize:

import 'package:flutter_secure_storage/flutter_secure_storage.dart';

final storage = FlutterSecureStorage();

// Store a value
await storage.write(key: 'api_token', value: token);

// Retrieve a value
String? savedToken = await storage.read(key: 'api_token');

The plugin handles method-channel wiring. By default, iOS uses Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, and Android uses AES encryption with EncryptedSharedPreferences on API 23+.

Platform Configurations for Keychain & Keystore

flutter_secure_storage exposes options to fine-tune access controls:

const iosOptions = IOSOptions(
  accessibility: IOSAccessibility.first_unlock,
);
const androidOptions = AndroidOptions(
  encryptedSharedPreferences: true,
);

await storage.write(
  key: 'refresh_token',
  value: refreshToken,
  iOptions: iosOptions,
  aOptions: androidOptions,
);

iOSAccessible options include:

• whenUnlocked: accessible only while the device is unlocked.

• afterFirstUnlock: available after first unlock until shutdown.

• alwaysThisDeviceOnly: always accessible, non-migratable.

AndroidOptions allow toggling EncryptedSharedPreferences for API ≥23, or fallback to AES/CBC/PKCS7Padding on older APIs.

Best Practices for Secure Storage

• Limit sensitive data lifetime. Clear tokens on logout or session expiry.
• Avoid storing PII or large binary blobs—Keychain and Keystore are optimized for small key-value pairs.
• Wrap read/write calls in try/catch to handle permission or hardware errors gracefully.
• Combine secure storage with HTTPS, OAuth, and certificate pinning for defense in depth.
• Use biometric or passcode prompts on critical operations by integrating LocalAuthentication before accessing storage.

Example error handling:

try {
  final secret = await storage.read(key: 'secret');
  if (secret == null) throw Exception('No data found');
} catch (e) {
  // Fallback: reauthenticate user or log error
}

Vibe Studio

Vibe Studio, powered by Steve’s advanced AI agents, is a revolutionary no-code, conversational platform that empowers users to quickly and efficiently create full-stack Flutter applications integrated seamlessly with Firebase backend services. Ideal for solo founders, startups, and agile engineering teams, Vibe Studio allows users to visually manage and deploy Flutter apps, greatly accelerating the development process. The intuitive conversational interface simplifies complex development tasks, making app creation accessible even for non-coders.

Conclusion

By using flutter_secure_storage you leverage the native Keychain and Keystore infrastructures without writing platform-specific code. Follow the plugin’s options to enforce appropriate accessibility, wrap calls for robust error handling, and combine with broader security measures like network encryption and biometric safeguards. Secure storage is a foundational practice—apply it consistently to protect user privacy and maintain trust in your Flutter apps.