AES-256-GCM: Use Authenticated Encryption for all sensitive storage.
Secret Storage: Mandatory use of flutter_secure_storage for encryption keys and master-derived keys.
Key Derivation: Mandate NIST-approved hashing (Argon2id) for master password derivation before local storage encryption and export.
Memory Safety: Strictly clear sensitive variables (passwords, keys) from memory when the operation finishes or the app enters the background.
Clipboard Safety: Mandate programmatic clearing of sensitive data (OTPs, Passwords) after a short duration (30-60s).
Biometric Gate: Mandatory local authentication for any view, export, or destructive action.
Audit Log: All security-sensitive actions should be logged via AppLogger (excluding raw secrets).
Input & API Security
Input Validation: Validate and sanitize all user-facing input fields before processing or storage.
HTTPS Only: All API communication MUST use HTTPS. Consider certificate pinning for sensitive applications.
Token Storage: STRICTLY prohibit storing tokens, API keys, or credentials in source code or public repositories. Use flutter_secure_storage or environment-based injection.