When building Flutter applications that integrate with Odoo ERP systems—such as our comprehensive Mobo mobile suite—one of the most critical aspects is securing user credentials. Storing sensitive information like usernames, passwords, API keys, and authentication tokens requires careful consideration and the strict implementation of security best practices.
In this comprehensive guide, we'll explore how to securely store and manage Odoo credentials in your Flutter applications, covering multiple storage approaches and security considerations specific to Odoo integration.
Why Credential Security Matters in Odoo Integration
Odoo ERP systems contain sensitive business data, including financial records, customer information, inventory data, and employee details. Compromised credentials can lead to:
- Unauthorized access to critical business data
- Data breaches and compliance violations
- Manipulation of business records and transactions
- Financial losses and reputational damage
Therefore, implementing robust credential security is not optional—it's essential for protecting your organization's data and maintaining user trust, a standard we strictly adhere to across all Mobo applications.
Understanding Odoo Authentication Methods
Before diving into secure storage, it's important to understand how Odoo authentication works:
1. Username and Password Authentication
The traditional method is where users authenticate with their Odoo username and password. This requires storing or temporarily handling sensitive credentials.
2. API Keys (Recommended)
Odoo supports API key authentication, which is more secure than storing passwords. API keys can be generated in Odoo and used for programmatic access.
3. Session Tokens
After initial authentication, Odoo returns session tokens that can be used for subsequent requests without repeatedly transmitting credentials.
Implementing Flutter Secure Storage for Odoo Credentials
flutter_secure_storage package is the recommended approach for storing Odoo credentials. It uses platform-specific secure storage mechanisms:
- iOS: Keychain Services
- Android: Android Keystore System
Step 1: Add Dependencies
First, add the flutter_secure_storage package to your
pubspec.yaml file:
dependencies:
flutter:
sdk: flutter
flutter_secure_storage: ^9.0.0
Install the package:
flutter pub get
Step 2: Create an Odoo Credential Manager
Create a dedicated class to manage Odoo credentials securely:
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
class OdooCredentialManager {
static const _storage = FlutterSecureStorage();
// Storage keys
static const String _keyUrl = 'odoo_url';
static const String _keyDatabase = 'odoo_database';
static const String _keyUsername = 'odoo_username';
static const String _keyApiKey = 'odoo_api_key';
static const String _keySessionId = 'odoo_session_id';
static const String _keyUserId = 'odoo_user_id';
// Save Odoo credentials
static Future<void> saveCredentials({
required String url,
required String database,
required String username,
required String apiKey,
String? sessionId,
int? userId,
}) async {
await _storage.write(key: _keyUrl, value: url);
await _storage.write(key: _keyDatabase, value: database);
await _storage.write(key: _keyUsername, value: username);
await _storage.write(key: _keyApiKey, value: apiKey);
if (sessionId != null) {
await _storage.write(key: _keySessionId, value: sessionId);
}
if (userId != null) {
await _storage.write(key: _keyUserId, value: userId.toString());
}
}
// Get stored credentials
static Future<Map<String, String?>> getCredentials() async {
return {
'url': await _storage.read(key: _keyUrl),
'database': await _storage.read(key: _keyDatabase),
'username': await _storage.read(key: _keyUsername),
'apiKey': await _storage.read(key: _keyApiKey),
'sessionId': await _storage.read(key: _keySessionId),
'userId': await _storage.read(key: _keyUserId),
};
}
// Clear all credentials
static Future<void> clearCredentials() async {
await _storage.deleteAll();
}
}
Step 3: Using the Credential Manager
Here's how to use the credential manager in your application:
// Save credentials after successful login
await OdooCredentialManager.saveCredentials(
url: 'https://yourcompany.odoo.com',
database: 'your_database',
username: 'user@example.com',
apiKey: 'your_api_key_here',
sessionId: sessionId,
userId: userId,
);
// Retrieve credentials
final credentials = await OdooCredentialManager.getCredentials();
final url = credentials['url'];
final apiKey = credentials['apiKey'];
// Clear credentials on logout
await OdooCredentialManager.clearCredentials();
Additional Security Best Practices
Building a secure app like Mobo requires going beyond just storing the keys. Consider these additional layers:
1. Use API Keys Instead of Passwords
Whenever possible, use Odoo API keys instead of storing user passwords. API keys can be revoked without changing the user's password and provide better audit trails.
2. Implement Certificate Pinning
Add SSL certificate pinning to prevent man-in-the-middle attacks:
dependencies:
http_certificate_pinning: ^2.1.1
3. Enable Biometric Authentication
Add an extra layer of security by requiring biometric authentication before accessing stored credentials:
import 'package:local_auth/local_auth.dart';
final localAuth = LocalAuthentication();
Future<Map<String, String?>> getSecureCredentials() async {
final authenticated = await localAuth.authenticate(
localizedReason: 'Authenticate to access Odoo',
options: const AuthenticationOptions(
stickyAuth: true,
biometricOnly: true,
),
);
if (authenticated) {
return await OdooCredentialManager.getCredentials();
}
throw Exception('Authentication failed');
}
4. Implement Session Timeout
Automatically clear credentials after a period of inactivity:
class SessionManager {
static DateTime? _lastActivity;
static const Duration _timeout = Duration(minutes: 15);
static void updateActivity() {
_lastActivity = DateTime.now();
}
static bool isSessionValid() {
if (_lastActivity == null) return false;
return DateTime.now().difference(_lastActivity!) < _timeout;
}
}5. Secure Network Communication
Always use HTTPS for Odoo API communications and validate SSL certificates:
import 'package:http/http.dart' as http;
Future<http.Response> secureOdooRequest(String endpoint) async {
final credentials = await OdooCredentialManager.getCredentials();
final url = credentials['url'];
// Ensure HTTPS
if (!url!.startsWith('https://')) {
throw Exception('Only HTTPS connections allowed');
}
return await http.get(
Uri.parse('$url$endpoint'),
headers: {
'X-Openerp-Session-Id': credentials['sessionId'] ?? '',
},
);
}
Common Security Mistakes to Avoid
- Never hardcode credentials: Avoid storing credentials directly in source code or configuration files.
- Don't use SharedPreferences for sensitive data: SharedPreferences is not encrypted and should never be used for passwords or API keys.
- Avoid storing passwords: Use API keys or session tokens instead of storing user passwords.
- Don't log sensitive information: Never log credentials, tokens, or API keys, even in debug mode.
- Don't disable SSL verification: Always validate SSL certificates in production.
Storage Options Comparison for Odoo Credentials
| Storage Type | Security Level | Use Case | Recommended |
| Secure Storage | High - platform encrypted | Credentials, API keys, tokens | Yes |
| SharedPreferences | Low - Not encrypted | Non-sensitive settings only | No |
| SQLite | Medium - Requires encryption | Complex data, not credentials | No |
| Hive | Medium - Requires encryption | App data, not credentials | No |
Securing Odoo credentials in Flutter applications is essential for protecting sensitive business data. By following these best practices, you can build secure and reliable Flutter apps that integrate seamlessly with Odoo:
- Use flutter_secure_storage for storing all sensitive credentials
- Prefer API keys over storing passwords
- Implement certificate pinning for network security
- Add biometric authentication for extra protection
- Enable session timeouts for inactive users
- Always use HTTPS for all Odoo communications
Remember that security is not a one-time implementation but an ongoing process. Regularly review and update your security measures to protect against emerging threats and ensure your Flutter-Odoo integration remains secure.
To read more about How Mobo Apps Communicate with Odoo (XML-RPC vs JSON-RPC), refer to our blog How Mobo Apps Communicate with Odoo (XML-RPC vs JSON-RPC).