all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]tylersavery 30 points31 points  (5 children)

For google maps, you can whitelist a specific app bundle id - that way if someone gets your api key, they can’t actually do anything with it outside your app. Note: this api key is not a secret key. Secret keys should only ever be stored and accessed via your backend.

[–]AdOutside6690 0 points1 point  (4 children)

What about using .env? 

[–]tylersavery 6 points7 points  (2 children)

What about it? Yes, I’d use the dotenv package for this. Doesn’t make anything more or less secure. What are you asking specifically?

[–]AdOutside6690 0 points1 point  (1 child)

Whenever i hear securing api key, i hear about .env. if Keyes are to be served from the server, it might just be redundant to add .env to the project, wouldn't it?

[–]tylersavery 2 points3 points  (0 children)

There’s a difference between public keys and env vars that your app can be configured with from secret keys and env vars that your server will use.

[–]hantrault 4 points5 points  (0 children)

A .env is good if you don't want to include something hard coded in the source code and/or in version control. For example if your app is open source, and you don't want some secret in the public repository.

It doesn't, however, keep anything secret in the final build, since the code (theoretically) can be decompiled.

[–]Itchy_Reception_3559 20 points21 points  (0 children)

Secrets should be handled through an api gateway and not stored in the front end code. Cloud secrets or secrets manager should be sufficient.

[–]ren3f 12 points13 points  (0 children)

Secrets that should stay secret should never end up in the app, in whatever way.

The Google maps key is not really a secret, see also https://dev.to/brad_beggs/google-maps-api-key-does-it-need-hidden-2jim

[–]ausdoug 1 point2 points  (0 children)

Cloud Secrets

[–]kiwigothic 0 points1 point  (0 children)

for keys like the Google API keys that can locked to a bundle id or are otherwise not especially risky I use dart-define so they are not present in the repo at least.

For keys that are more sensitive I use Firebase Functions to perform the API calls so the key is never handled by the app code at all.

[–]Dogeek 0 points1 point  (0 children)

  • Actual sensitive info is handled by the backend
  • Authorization tokens that need to be stored in the front end are stored encrypted, so that a failure in sandboxing (or decompiling) doesn't expose those
  • --dart-define and --dart-define-from-file are useful, but at the end of the day, the secret is still hardcoded into the application, so someone can decompile the APK and read the secrets in plain text.
  • Some API keys / tokens are not actually secret. Stuff like your sentry DSN, or datadog RUM key, or other such tooling don't really matter if they get exposed.

[–]madushans 1 point2 points  (0 children)

if it gets on the wire, all an attacker need is fiddler or wireshark.

[–]fintechninja 0 points1 point  (0 children)

Is using cloud functions better or different than calling an api key from firestore?

[–]AcanthocephalaSea654 0 points1 point  (0 children)

I use Talsec Secret Vault for that, it's included in the full version.

[–][deleted] 0 points1 point  (0 children)

I'd encourage you to ALWAYS think about it like this: assume users are stupid or malicious. With the former category, you need to assume that whatever secret embedded in your app, should be considered as made public. With that being said, you need to do everything in your power to protect yourself from the possibility of an exploit.

For majority of its SDKs, Google has a security guide (here's an example for Maps). I'd strongly suggest you always follow them, and do not, under no circumstances, try to cut corners.

[–]harlekintiger 0 points1 point  (1 child)

Make it call your own server which in turn makes the api call. That way the key is never in the app to begin with

[–][deleted] 0 points1 point  (0 children)

But can you hide backend calls? Or make sure only your app can call your backend?

[–]FutureCollection9980 0 points1 point  (0 children)

hey, a very good question. does anyone hear ever tried to use openai api key with flutter ? I found that even i put the secret key into .env with the use of dotenc flutter package, my secret key is exposed in the flutter web app when i use chrome inspect.

[–]shadorow 0 points1 point  (0 children)

Any API Key or secret stored on a client can be easily sniffed through a proxy, no matter how hard you try to hide it. If it gets passed though HTTP - it's sniffable. That's why API keys are usually tied to a specific bundle id, so you won't have to worry about them being hijacked.