2

Publishing a web app with the API in the source code would be an horrible idea because people could see my API key and drain my account, but if its a mobile app with React Native with Expo users should not be able to see it. But I'm not so sure about that, I guess there are ways to get it. So how could I prevent that?

What are the best practice for this? Maybe I could use SecureStore from Expo, but I'm not sure if that solves the problem. Currently it's stored in the source code of some components like this:

const API_KEY = mysecretkey

I'm using AWS Rekognition and S3.

Thanks for your help.

MrPie
  • 173
  • 7
  • 1
    The fact that you asked the question shows that you probably know the answer already: no, it is not safe. [This](https://reactnative.dev/docs/security) is a good read from the doc. It gives you a few options. – Fanchen Bao Mar 22 '23 at 23:15
  • I had all the same questions about things like OAuth back when I was trying to make a desktop client which connected to various services, and the final outcome was that the end user was supposed to get their own key. This was unsatisfying to me, so I put the idea of using OAuth on the back-burner until they properly considered desktop/mobile clients. – Hakanai Mar 22 '23 at 23:19
  • Thank you, I think based on the documentation AWS Lambda is the way to go but I still wonder how safe is that. At some point the API key will have to be read in plain text in my app and somebody could somehow read it from the memory. The good think it would be now I would be able to reset the key if somebody hacks the app, but the problem would still be there. – MrPie Mar 22 '23 at 23:39

1 Answers1

0

I don't know whether this is a good solution, but it's a solution - publish a webapp which your mobile app connects to when it fetches the data. That way, your webapp can hide the API key.

The downside is you have to pay for that traffic. :(

Hakanai
  • 12,010
  • 10
  • 62
  • 132