Reconsidering FlutterSecureStorage in light of v10.0.0 major release

[emil-st]

Discussion: Reconsidering FlutterSecureStorage in light of v10.0.0 major release

Hi OIDC maintainers! 👋

First, I want to say thank you for your excellent work on this library. The OIDC package has been incredibly helpful for our project, and we really appreciate your ongoing dedication to maintaining it.

Background

I noticed that starting from version 0.13.0, OIDC migrated from flutter_secure_storage to simple_secure_storage, with the reasoning that flutter_secure_storage appeared to be unmaintained. This made complete sense at the time given the maintenance concerns.

Recent Development

However, I wanted to bring to your attention that flutter_secure_storage just published version 10.0.0 (released December 11, 2024 - literally hours ago!). This is a huge major release with comprehensive improvements across all platforms:

Key improvements include:

Android:

• Complete rewrite with custom secure ciphers (migrated from deprecated Jetpack Security library)
• Enhanced biometrics support with graceful degradation
• Updated to SDK 36, Java 17
• Minimum SDK raised from 19 to 23
• Automatic migration tools for data encryption upgrades

iOS/macOS:

• Merged into unified flutter_secure_storage_darwin package
• Swift Package Manager support
• Improved keychain operations with serial queues
• Privacy manifest included
• Minimum iOS version raised from 9 to 12
• Minimum macOS version raised to 10.14

Web:

• Full WASM compatibility
• Migrated to modern web package with js-interop
• Session storage support via useSessionStorage parameter
• Secure context validation

Windows:

• FFI-based implementation with win32 package (v5.5.4)
• Data now written to encrypted files instead of Windows credential system

Linux:

• Memory management fixes
• Improved error handling for keyring operations
• Removed libjsoncpp1 dependency

General:

• New listener functionality via FlutterSecureStorage().registerListener()
• Dart SDK support updated to <4.0.0
• Comprehensive test coverage improvements
• Extensive documentation updates

The changelog shows active development with multiple beta releases (10.0.0-beta.1 through beta.5) addressing security issues, platform updates, and modernization efforts throughout 2024.

Question

Given this major revival and modernization of flutter_secure_storage, would you be open to reconsidering its use in a future version of OIDC? I completely understand if there are technical reasons or architectural decisions that make this impractical, and I respect whatever direction you choose.

I'm curious about your thoughts on this, especially since:

1. The package now appears to be actively maintained again with significant investment
2. It has significantly broader platform support and adoption in the Flutter ecosystem
3. The security improvements in v10.0.0 address many of the underlying platform-specific concerns
4. The package has comprehensive platform coverage (Android, iOS, macOS, Windows, Linux, Web)

Our Context

We're currently using OIDC 0.12.1+2 in our B2C mobile application. We attempted to upgrade to 0.13.0, but unfortunately encountered a critical blocker: we were unable to publish our app to the Play Store because dependencies of simple_secure_storage in that version used packages that don't pass Android's 16KB page size requirement.

This 16KB page requirement is becoming increasingly important for Android apps, especially as Google enforces it for new devices. The inability to upgrade has left us in a difficult position, as we want to stay current with the OIDC package but are blocked by this platform compatibility issue.

With flutter_secure_storage v10.0.0 now addressing Android compatibility (minimum SDK 23, updated to SDK 36, modern cipher implementations), it might offer a path forward that satisfies both security requirements and platform constraints.

Understanding the long-term storage strategy would help us make informed decisions about our architecture and upgrade path.

Again, thank you for all your hard work, and I look forward to hearing your perspective on this! 🙏

---

References:

• flutter_secure_storage v10.0.0 changelog: https://pub.dev/packages/flutter_secure_storage/changelog

[ahmednfwela]

hi @emil-st thanks for the informative post, I will be sure to check it and switch back to it after testing

I also have plans to support 16kb and swift package manager soon

[emil-st]

Thank you for sharing your plans — that’s good to hear. Do you happen to have an approximate timeline for when these changes might be available?

[ahmednfwela]

I will be working on it over the weekend, expect it to be done in hopefully a week

[emil-st]

I will be working on it over the weekend, expect it to be done in hopefully a week

Hi @ahmednfwela!
I just wanted to follow up and see if there are any updates. Really appreciate your work on this.

[emil-st]

@ahmednfwela Thank you a lot! Appreciate your work on this!