FlutterFlow generates Flutter applications backed by Firebase or Supabase. The generated code, Firebase security rules, and backend configuration each require independent governance review.
These aren't hypothetical risks. These are the patterns our engineers find consistently when reviewing FlutterFlow output.
FlutterFlow's default Firebase configuration frequently lacks granular security rules, allowing any authenticated user to read or write any record.
FlutterFlow embeds Firebase configuration keys in the client application. These require server-side rules — not key secrecy — to be secure.
FlutterFlow-generated Dart code is often deeply nested, poorly documented, and difficult to maintain without the visual builder.
Generated state management patterns are frequently inefficient, causing performance degradation as application complexity grows.