skip to Main Content

I have seen people recommend use dotenv package to manage API keys in Flutter, I used it before but I seen this. When you create an apk file and use any online decompilators for apk, .env files are there, manifest and more. So what’s the right way to manage API keys? I’m staring to think that dotenv does not make sense if is so easy to see the files. Also I added some restrictions for APIs from Google console but the keys are still outside.

3

Answers


  1. You may use some algorithm provided by libarary using encryption.

    Login or Signup to reply.
  2. To enhance the security of API keys in Flutter applications, it’s advisable to shift from storing sensitive information like API keys in .env files or within the app’s codebase. These can be easily exposed through decompilation. Instead, consider implementing a Backend for Frontend (BFF). This approach involves setting up a backend server that handles API requests on behalf of the mobile app. The API keys are stored and used on the server, never exposed in the client-side code, thus significantly enhancing security by isolating sensitive data from the mobile environment.

    Additionally, for any unavoidable local storage of sensitive data, use Flutter’s secure storage options such as the flutter_secure_storage package, which stores data in secure OS-specific storage, offering better protection against extraction through decompilation. This method encrypts the data and securely handles it within the device, making it suitable for storing small pieces of sensitive data that need to be accessed directly by the app.

    Login or Signup to reply.
  3. If you want to store information on your App Runtime such as Access/Refresh tokens or any other sensible information you should use libs able to encrypt the stored data. I always use the flutter_secure_storage. This package will use the secure native methods to store the information encrypted.

    But reading your context’s question, I understood that your doubt is about how to protect and obfuscate your builds in order to protect your .env file. To solve this you can use an built-in feature on flutter cli. You can read more in this article.

    But beyond these solutions you can think in many methods to solve this. Like renew your tokens periodically using your a Web API that you own, or encrypt your data an use a Web API to decrypt it only to your app requests, and other ways.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search