Dart Grpc Client Insecure Connection
Description
This detector identifies insecure gRPC channel connections in Dart applications. When gRPC channels are created without proper security configurations, they may transmit sensitive data over unencrypted connections, exposing it to network interception attacks. The vulnerability occurs when developers use insecure channel creation methods or configurations that don't enforce encryption.
Detection Strategy
• Scans Dart source files (excluding test files) that import gRPC-related packages to check for insecure channel configurations
• Identifies method calls or expressions that create gRPC channels using imported channel creation functions from the gRPC package
• Checks if these channel creation calls use insecure sink methods or configurations that don't enforce encryption or secure transport
• Reports a vulnerability when gRPC channel creation expressions are found that use insecure connection methods instead of secure alternatives
Vulnerable code example
import 'package:grpc/grpc.dart';
ClientChannel createInsecureChannel() {
return ClientChannel(
'host.example.com',
port: 50051,
options: ChannelOptions(
credentials: ChannelCredentials.insecure(), // VULNERABLE: creates unencrypted gRPC connection...✅ Secure code example
import 'package:grpc/grpc.dart';
ClientChannel createSecureChannel() {
return ClientChannel(
'host.example.com',
port: 50051,
options: ChannelOptions(
credentials: ChannelCredentials.secure(), // SECURE: uses TLS encryption for gRPC connection...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.