0

I would like to know what the full pros and cons are for storing my SENSITIVE API KEYS AT Firebase Remote Config.

I am aware of flutter secure storage which encrypts and decrypts sensitive data at Runtime, but most sources suggest it is always safer to store api keys on the server rather than on the client. What risks are involved if I store my API keys at FIREBASE REMOTE CONFIG and what do I stand to gain and lose.Thanks

Samuel Airadion
  • 3
  • 3

1 Answers1

0

The recommendation is not so much to just store the data on the server, but also to only ever use it on the server. Any time you use sensitive data inside your application, such as when you send it to the device through Remote Config, a malicious user may gain access to it.

The risk of leaking an API key depends on what that specific API key allows a malicious user to access. For example, if a user gains access to the so-called server key that is used by Firebase Cloud Messaging, they can use it to send messages to any of your users. But if they gain access to the administrative credentials of your Google Cloud project, they can do with that entire project whatever they want.

Note that Firebase's client-side configuration data is not a secret, as explained here: Is it safe to expose Firebase apiKey to the public?

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Cheers for the response, but also curiously since my api key is stored remotely cant I always just change the keys, should incase it gets exposed on the client side, leaving the hacker no choice but to continually rehack and eventually give up? – Samuel Airadion May 17 '23 at 17:23
  • If your method of getting the secret from the server doesn't change, the malicious user can also use the same method of getting access to that secret. Also see: https://firebase.google.com/docs/remote-config/parameters#:~:text=Important%3A%20Do%20not%20store%20confidential,target%20groups%20of%20app%20instances. – Frank van Puffelen May 17 '23 at 17:42