I have a Flutter application which communicates with an Hasura server and I'm doing it using the secret password.
I am currently using an .env file with the required API (secret) keys and loading them with the provided Flutter methods, but I guess they are somehow added to the app binary so I would like to know if it can be reverse engineered when published.
Does anybody know if this is a secure way to keep my API keys or I need to add authentication?
Asked
Active
Viewed 377 times
0
Alberto Méndez
- 1,044
- 14
- 31
-
Unless you're using some sort of Zero Knowledge Proof, your app will have to have some sort of credentials. And if it's in there, it can be reverse engineered. – Randal Schwartz Sep 11 '22 at 00:18
-
What do you mean with "Zero knowledge proof"? The app is using HTTPS, I don't know if it is what do you refer. – Alberto Méndez Sep 11 '22 at 00:32
-
@user18309290 Yes of course, thank you very much – Alberto Méndez Sep 11 '22 at 18:24
1 Answers
0
If an API key can't be seen don't store it in your app. For more information see Securely Saving API Keys In Android (flutter) Apps
Alberto Méndez
- 1,044
- 14
- 31