0

I want to store an api key on my flutter app. I was thinking about requesting the api key from the server on user registration, and then save it with flutter_secure_storage. Is that a good way to get and store api keys?

NelsonThiago
  • 802
  • 7
  • 12

3 Answers3

3

As seen here.

The most secure way to keep your keys as secret, is to NEVER put them in your app because someone could decompile your app and get them, but if you really want to store them in the app the most recommended approach I have found is using text assets. In Flutter you just need to load your file containing your secret keys as if your were loading any other asset.

  • Create a file called secrets.json that will keep our secret API keys. And store it in the root directory of our project. Remember not to commit your secrets.json file to version control.

  • write an entry in pubspec.yaml pointing to our secret file.

    assets: - secrets.json

  • define the class that will keep our keys, let’s say it’s called Secret

    class Secret {
final String apiKey;  Secret({this.apiKey = ""});  
factory Secret.fromJson(Map<String, dynamic> jsonMap) {
 return new Secret(apiKey: jsonMap["api_key"]);
 }
}

  • Then a SecretLoader

    import 'dart:async' show Future; import 'dart:convert' show json; import 'package:flutter/services.dart' show rootBundle;class SecretLoader { final String secretPath;

    SecretLoader({this.secretPath});  Future<Secret> load() {
  return rootBundle.loadStructuredData<Secret>(this.secretPath,
      (jsonStr) async {
    final secret = Secret.fromJson(json.decode(jsonStr));
    return secret;
  });
 }
}

  • After that, you can just use your SecretLoader like this:

    Future<Secret> secret = SecretLoader(secretPath: "secrets.json").load();
Jaime Ortiz
  • 1,089
  • 10
  • 14
  • How would this help at all? Instead of decompiling I'm just going to look at your network requests and get the key there or directly analyze your application's memory as it runs. – Christopher Moore Jun 10 '21 at 15:19
  • that why you dont store them in the app – Jaime Ortiz Jun 10 '21 at 15:21
  • 1
    Please reread my previous comment. It doesn't matter where you're storing it. There are other easy ways of obtaining API keys. If you want to use them in your app, they're going to be send over the network or stored in memory at some point. – Christopher Moore Jun 10 '21 at 15:22
  • **API Keys must be hard coded.** There is no other option. So your sentence **"NEVER put them in your app" is just wrong and misleading.** In order to avoid reverse engineering issues you have to obfuscating your app. – genericUser Aug 23 '22 at 11:59
0

Definitely yes from me! It is a best way to store data in secure storage

flutter_secure_storage: ^4.2.0

nikhil deepak
  • 27
  • 5
  • Secure storage won't help you in case you are using a hard coded API Key in your app. And you must have a hard coded Key. – genericUser Aug 23 '22 at 11:55
0

I'm running into this same question on best practices for API keys in Flutter. I've read many responses across multiple stack posts. It seems that no matter what we do, someone dedicated enough will get the API key so we must turn our attention to limiting the actions of the API.

I'm using Algolia in my project so I'm going to use this service as an example. This service gives you multiple API keys. One of them is for "search only" and another is the ADMIN API key.

The Search Only API key comes with parameters that you can set to prevent API abuse and additionally only allows reads, and does not allow writes or deletes. The Search only API key is what we will expose in our front end and NEVER expose our Admin API key.

I will still follow best practices on utilizing gitIgnore and doing my best to prevent API compromise but from what I've gathered it seems the most effective method is at the API source. I hope this helps in some way.

DavesMobileApps
  • 31
  • 3