1

I am building a flluter application. I don't want to compromise my secret_key by putting it in the code, so I tried making a .env file and created an apk. Then I unzipped the apk and found my config file there. So now I am not doing that.

The next thing I tried is using --dart-define variable declarations to put my secret_key while building the app and I am accessing it using

const secret = String.fromEnvironment("secret_key");

Coming to the question, where do these variables go inside the dart code and is there a way to get them by reverse engineering. Basically is it safe to put my secret key this way?

Jagraj Singh
  • 4,031
  • 4
  • 15
  • 33
  • Yes its safe because `--dart-define` variable you need to define in build command and that is not saved any where in code at the time of build generation these keys used. – Er. Rakesh Prajapat May 27 '22 at 07:54
  • If your code needs `secret_key` at runtime, then it is not strictly safe. Anything your code can do, someone sufficiently determined can also do by examining your code. – jamesdlin May 27 '22 at 07:58
  • @jamesdlin what do you mean by that? I didn't get it. My use case is to call an API using that secret key that's it. without it, I can not call the API. – Jagraj Singh May 27 '22 at 15:31
  • I mean that what you're asking is, strictly speaking, impossible. If code running on a client needs a fixed secret to operate, the client needs access to the secret, and someone sufficiently determined will be able to extract it from client-side code. See [How to store a secret API key in an application's binary?](https://stackoverflow.com/questions/5525305/) – jamesdlin May 27 '22 at 16:05
  • Thanks, @jamesdlin. I got that. but what about `--dart-define` saving the variables which has no trace in code other than the binaries? – Jagraj Singh May 28 '22 at 08:01
  • Well, using `--dart-define` avoids needing to hard-code your secrets and make them plainly visible to anyone who can read your source code (which is good), but it won't help against someone reverse-engineering your program (which is impossible). – jamesdlin May 28 '22 at 09:34
  • so I can use that to at least avoid putting the key inside the code. – Jagraj Singh May 28 '22 at 10:33

1 Answers1

2

From what I found, you can find the --dart-define variables in the binary file generated for each ABI, so yes, you can reverse-engineer it.

How to try:

  1. Call the variable from your code with String.fromEnvironment("ANIMAL").

  2. Run flutter build apk --dart-define=ANIMAL=Dog to build for Android

  3. Open the generated .APK file with a file archiver (7-Zip, for example) and navigate to /lib/(ABI)/

  4. Open /lib/(ABI)/libapp.so file with a text editor or hex viewer and search for the value Dog and you will find it

Observations:

  • If you don't use the variable in your code, it won't be added to the binary
  • Using --obfuscate with flutter build won't help, because it doesn't obfuscate environment variables
Samuel T.
  • 194
  • 3
  • 13