I want to publish my flutter app to the google play store, but i was thinking is my api key safe, can other people don't acces my api key and use it on my cost? So i found out that my flutter app can be reversed engineered and the api key can be stolen. How can i make it harder to let this happen? I already have the idea to obfuscate it, but is their a another way to extra protect it?
String apikey "ApiKey";
My api key is now hardcoded into the app
I want to publish my flutter app to the google play store, but i was thinking is my api key safe, can other people don't acces my api key and use it on my cost?
Not it's not safe at all, anyone can access it. It's as easy as using static analysis,a MitM attack and/or instrumentation at runtime. Let's see how...
So i found out that my flutter app can be reversed engineered and the api key can be stolen.
In a series of articles on Mobile and API Secuirty I wrote you can read the article
How to Extract an API key from a Mobile App with Static Binary Analysis to see how easy it's to extract your ApiKey:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.
I already have the idea to obfuscate it
If you use obfuscation it will make more difficult to find it with static analysis, but that's not an issue for an attacker once it's very easy to extract your Api Key at runtime with MitM attack, and you can read about how its done in my article Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
You have not mention its use, but its a common and recommend layer of defence to prevent a MitM attack, at least will keep at bay the less skilled attackers, but unfortunately it can be bypassed with the use of an instrumentation framework during runtime, and guess what, you can read on how to do it on my article How to Bypass Certificate Pinning with Frida on an Android App to show you how to do it:
Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.
Despite it can be bypassed its still recommend to use certificate pinning.
How can i make it harder to let this happen? I already have the idea to obfuscate it, but is their a another way to extra protect it?
Obfuscation its only effective to protect intellectual property of your code, but will only hide your secret at rest on the code, not when the app is running.
I will recommend you to read my accepted answer to the question How to use an API from my mobile app without someone stealing the token where the Runtime Secrets Protection seems to be an approach suitable to your use case.
In a nutshell you will have the secret stored in the cloud and have it securely delivered just-in-time of being used to your mobile app, but only if the same is not being under attack, running on a root or jail broken device, isn't attached to a debugger or running in an emulator.
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
