I want to store my aws s3 access key and secret key in my react native app. I am storing it in env file and using it via react-native-config. But i received a mail from play console saying the key is exposed. How should i handle this ? What is the best way to store secret keys in react native ?
I received a credential leaked alert from play console
2
Answers
Indeed, according to the React Native docs :
The solution must be to add a protective layer, many options exist (your own backend server + domain name, using a serverless options – AWS Lambda…)
Deactivate your access key and check for unauthorized access immediately. If your app has been published already, you might want to close your AWS account and open a new account – it may be simpler than auditing for unauthorized access.
It’s easy enough for anyone (or a script) to download and parse the contents of your app in search of secrets and take over your AWS account. You want to assume that anything published in your React Native app is about as secure as publishing it on a website that you’ve promoted on social media.
For S3 file uploads from your app, you’ll want to have a server-side function (your own server or a serverless function on AWS) that authenticates the user and generates a signed URL through which they can do a direct file upload from your mobile app to S3. This AWS tutorial shows how to implement serverless file uploads including a video walkthrough.
To retrieve files from S3 into your app, you’ll probably want to distribute the files from S3 (as an origin) through Cloudfront (as a distribution CDN). This way your client doesn’t need any special AWS credentials and you get better performance with a global content delivery network. For added security, you can issue signed URL’s to your authenticated user from a server-side function.