6

I'm using the googleapi's Flutter package and to use the Google Drive API, I need to put in credentials. My question is, how can I securely store them in my app so when I publish my app, they can't be taken. I found a cool package, flutter_secure_storage but to use it, I need to put all of my values into the secure storage. So how can I do that? I was thinking of using something like this, but I'm not sure. It would be great if someone could put me in the right direction as to how to do this by the book so to speak.

To further explain, I don't want to have my sensitive information in a file such as main.dart as a variable to put into storage (if it isn't there already).

Samet ÖZTOPRAK
  • 3,112
  • 3
  • 32
  • 33
Benjamin
  • 5,783
  • 4
  • 25
  • 49
  • [android - Best practice for storing and protecting private API keys in applications - Stack Overflow](https://stackoverflow.com/questions/14570989/best-practice-for-storing-and-protecting-private-api-keys-in-applications) – Mohamed Elrashid Sep 29 '19 at 10:55

3 Answers3

8

You can do this by using the flutter_dotenv package.
Create a .env file in the root of your project: 

GOOGLE_API = API_KEY

Add the .env file to your assets bundle in pubspec.yaml 

assets:
  - .env

Add the .env file as an entry in your .gitignore if it isn't already

.env*

Access variables from .env throughout the application

DotEnv().env['GOOGLE_API'];

Read more on how to install and use the package here: flutter_dotenv

mjhansen3
  • 955
  • 1
  • 9
  • 14
  • 2
    Any way this will be bundled with APK if you generate the one. And it can be easily retrieve during the reverse engineering of the APK.. . – Swaminathan V May 26 '20 at 12:22
  • 2
    @RaguSwaminathan, that's just no possible. any api keys stored on device can be hacked. if you can't have your keys compromised, you'll have to keep them in the backend server instead. – Lucas Chwe Aug 12 '20 at 19:14
  • @Lucas Chwe But if I put a network debugger like Fiddler I can check the endpoint and replicate the request to get the API key. – Daniel Arechiga Jan 18 '22 at 04:37
1

I advise you to create a database to store your keys. You can set up a small backend connected to your base that you contact, So you can implement all the security you want. This is the safest way

N. Henoc HOUNSA
  • 169
  • 1
  • 9
0

It’s not possible to store secret credentials in the app. Think other way around and secure the API key with appropriate permissions from the google cloud platform.

Secure storage is intended for user content.

brunsi
  • 13
  • 3