Headline: We have a working app (Flutter + ). We need a "Fixer" to secure it for launch.
**Agencies Need Not Apply. Seriously. Just don't. Its obvious and wastes both our times.**
TIMELINE: Looking to interview/hire/start work quickly (by Feb 22nd).
Would like to find someone to work with and own the code on an ongoing basis, but not required for this specific sprint.
THE STACK: Flutter (Dart/BLoC), (Express), MongoDB, AWS App Runner.
THE MISSION: We are Pre-Launch. We have performed a comprehensive audit and identified specific P0 Critical issues. Your job is to execute the Remediation Plan to get us "Green" for the App/Play stores. Estimated work is 20-25 hours.
REQUIRED EXPERIENCE: Flutter BLoC + Node.JS (or evidence of equivalent JS based API deployment i.e Python, etc) + Stripe Implementation
•Flutter BLoC: You must be able to navigate complex Cubit state without breaking existing features.
•Backend Competence: You are comfortable working in a backend to fix logic and security flaws (even if your main strength is Flutter). If no experience, evidence of backend api deployment + javascript centric syntax (python, etc) will do just fine.
•Stripe Implementation: Experience with Stipe Payment Intents and Native Payment Sheets.
THE "KILL LIST" (CANDIDATE MUST BE ABLE TO FIX THESE 6 THINGS):
1.Secrets Management & Environment Architecture:
•The Problem: The codebase currently relies on hardcoded credentials scattered throughout the files (AWS .pem, Android .jks, Firebase Keys, Cloudinary Secrets, Mailjet, and Stripe Keys).
•The Strategy: We are rotating and invalidating all these keys internally. You do not need to scrub the Git history.
•The Task: You must locate every hardcoded secret and refactor the code to use Environment Variables instead.
- Implement dotenv so keys are read from
- Flutter: Implement a secure strategy (e.g., flutter_dotenv or Dart Build Flavors) to handle API keys.
- Result: The app must be able to run locally using a .env file (which you will create with Test keys) and accept injected Production keys via the AWS App Runner console without code changes.
2.PCI Compliance (Stripe Native):
•The Problem: App uses raw text fields for Credit Cards (SAQ-D Liability).
•The Skill: Must have experience with flutter_stripe (Native Payment Sheet) to offload PCI scope.
3.Data Privacy (Mongoose Projection):
•The Problem: returns full User objects (including hashed passwords/salts) to the client.
•The Skill: Must know Mongoose Data Projection (.select('-password -salt')) to filter API responses.
4.Legal Logic (Waiver Bypass):
•The Problem: The "Waiver Signed?" check is commented out in the backend.
•The Skill: Basic logic flow and middleware.
5.API Security (Weather Service):
•The Problem: Hardcoded OpenWeatherMap App ID. Can lead to automatic app store rejection.
•The Skill: Flutter Build Config / Env management.
To Apply:
We are handling the security rotation internally, but we need you to fix the code structure. Please answer these two questions at the top of your cover letter:
Stripe Implementation: We are moving from raw text fields to flutter_stripe (Native Payment Sheet). Briefly explain how this changes the backend logic—specifically, what does the backend need to return to the Flutter client to initialize the Payment Sheet?
Environment Variables: We are rotating all compromised keys. We need you to refactor the app so it no longer looks for hardcoded strings.
Node: Which library would you use to manage secrets locally? Flutter: How do you handle different API keys for "Dev" vs "Prod" environments in Flutter build configurations (flavors or strict env files)?
Contract duration of 1 to 3 months. with 30 hours per week.
Mandatory skills:, Stripe API, api security, REST API, Flutter, Dart, MongoDB, Smartphone