3

I am developing an iOS/Android app with Flutter and Firebase (mainly Cloud FireStore and Firebase Auth). According to the Firebase documentation/example, they just put the API key along with the googleAppID straight into the app's source code. This to me seems very insecure, but at the same time I did hear that dart is compiled AOT. So what is the best practice for putting the Firebase API keys in a Flutter app?

Any response is appreciated!

David
  • 1,660
  • 3
  • 21
  • 33

1 Answers1

1

That example is usually not followed. The key is stored in the google-services.json file or the equivalent for iOS that should be added to the project following the Firebase setup instructions. This removes the issue with people easily knowing your key. I don't believe it would matter if someone did however as the key is intended to be public.

Setup Instructions

Christopher Moore
  • 15,626
  • 10
  • 42
  • 52
  • I see. Thank you! Can you provide a link (if there is any) for detailed instructions, please? – David May 27 '20 at 19:40
  • 1
    @David Yes I added the setup link for Firebase for Flutter. You have to follow both the iOS and android instructions – Christopher Moore May 27 '20 at 19:44
  • 1
    Ah, thanks! It turns out that I have already followed those instructions, but I didn't know that by doing that I wouldn't need to include the API keys in the dart code. Just checked the `plist` file and it does have my API keys. Thank you! – David May 27 '20 at 19:55
  • Just one last question, how does this approach make it more secure? – David May 27 '20 at 19:55
  • @David The key isn't directly in the code so there isn't a need to obfuscate it. I'm not sure that this makes it much more difficult, but as I said, the API key is intended to be publicly available. – Christopher Moore May 27 '20 at 20:03
  • Got it! Thank you! – David May 27 '20 at 20:04
  • @David No problem. – Christopher Moore May 27 '20 at 20:05
  • 1
    Great answer Christopher. @David: The configuration data is shared equally between both approaches, but that is **not** a security concerns. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen May 27 '20 at 20:18
  • Thanks! @FrankvanPuffelen So I guess I should always enforce security with Cloud FireStore security rules. – David May 27 '20 at 20:20
  • @David Yeah you should always do that and do it for other services that you use as well as they are applicable. – Christopher Moore May 27 '20 at 20:21
  • Ok! Thank y'all! – David May 27 '20 at 20:22