2

I'm considering Firebase for my new mobile app which is an Expo app. Expo's team did a nice tutorial about it (https://docs.expo.io/versions/latest/guides/using-firebase/).

Reading this tutorial, I can see that the recommanded way is to put API credentials (key, project ID, etc.) directly in the app and initialize the client that way:

import * as firebase from 'firebase';

// Initialize Firebase
const firebaseConfig = {
  apiKey: "<YOUR-API-KEY>",
  authDomain: "<YOUR-AUTH-DOMAIN>",
  databaseURL: "<YOUR-DATABASE-URL>",
  storageBucket: "<YOUR-STORAGE-BUCKET>"
};

firebase.initializeApp(firebaseConfig);

The question: is it safe to put an API key in a RN (Expo) project?

enguerranws
  • 8,087
  • 8
  • 49
  • 97

2 Answers2

0

im using firebase too , and along with that a lot other third party sdk which needs API KEy. I've done it by storing it in the backend, and when the App is initialized(i.e mounted),I call an API to backend whihc gives all the API keys , and I store them in respective Async storages, so that whenever i need that particular API key , i just do AsyncStorage.getItem('API_Key') , and it's both secured and cannot be tracked since it's from backend. And obviously in backend you want to store them as env variables. So i would suggest you to follow that.

In your case , just do 

let firebaseApiKey = AsyncStorage.getItem('firebaseKey');

// Initialize Firebase
const firebaseConfig = {
  apiKey: firebaseApiKey,
  authDomain: "<YOUR-AUTH-DOMAIN>",
  databaseURL: "<YOUR-DATABASE-URL>",
  storageBucket: "<YOUR-STORAGE-BUCKET>"
};

firebase.initializeApp(firebaseConfig);
Gaurav Roy
  • 11,175
  • 3
  • 24
  • 45
  • 1
    Is it safe to store sensitive data in AsyncStorage, which basically means that you store your API keys into each user's device? Those users could surely read your API keys (https://stackoverflow.com/questions/39148714/is-react-natives-async-storage-secure). However, my question was "is it safe to put API keys directly into RN code?" and, unfortunatly, that's not an answer. – enguerranws Nov 08 '19 at 12:10
0

I'd recommend you use a service like Visual Studio App Center to define your env variables then reference those variables in your code. During the build process, VS App Center will fit in the values in places where you've used it in your code.

So the sensitive values never even touch your codebase. That's the safest solution I can think of.

Awa Melvine
  • 3,797
  • 8
  • 34
  • 47
  • That's a solution. But when VSAC build and compile the app, it does inject the keys in the app bundle, so I guess someone clever could read it. – enguerranws Jun 09 '20 at 07:03