1

I am trying to develop a strategy for securing third party API keys for a React Native app. When building a web application, API keys can be stored in environment variables and then secured when deploying the application server.

However with a mobile app that only uses 'back end as a service' back end services, like Firebase, the app is not deployed, it is distributed and services are accessed.

After doing some research, it seems there is no standard / straight forward approach to solving this problem although it must be a situation that thousands of app developers find themselves in.

I am using Firebase, but also two other services that require API keys. My initial solution was to add these API keys (not Firebase keys) to Firebase environment variables as described here and then make a call in the app to a Firebase Cloud Function and to retrieve them. But I think the problem might be here that the keys can still be intercepted as they will be retrieved in plain text.

Is this a good approach to storing the third party keys, and if not, what other approaches could be taken?

halfer
  • 19,824
  • 17
  • 99
  • 186
Mr. Robot
  • 1,334
  • 6
  • 27
  • 79
  • Firebase has many types of keys. The configuration data that the Firebase console and documentation tell you to add to your application are not any sort of authentication mechanism, but just configuration data that allows your code to find its Firebase project on the servers. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen May 26 '20 at 22:53
  • 1
    Thanks @FrankvanPuffelen - but specifically it does say: 'Often you'll need additional configuration for your functions, such as third-party API keys' before describing how to store them, so I take that as a mechanism for storing API keys. What I'm asking in the question is if it's a god approach – Mr. Robot May 27 '20 at 07:36
  • Ah, got it. I missed your comment in the question about this being 3rd party API keys. Such keys should not commonly be used in client-side code. If you want to use them in Firebase, you'd typically only use them in Cloud Functions, where your users can't see them. – Frank van Puffelen May 27 '20 at 14:34

0 Answers0