How to store API keys in Flutter (July 2020) How to store API keys in Flutter (July 2020) dart dart

How to store API keys in Flutter (July 2020)


api flutter dart

I have some solutions for it.

  1. Make it harder to understand -

Split your API key into many Strings..store them at random places and combine them while making the call, in a very complex manner..in short, make your code complex to understand.

  1. Store your API key in Firestore -

Store your API key in a document, and retrieve it, when making the API call.

(..I think this is a better way)

Lemme know what you think. :)

api flutter dart

Replying to above.

Personally I do not know how effective de-compiling an .apk can be. But there are millions of people out there, and some might be very good at this. Personally I am assuming 'worst case' that someone could get a hold of my flutter code and run it in Android Studio.

If they can do that, not just 'look' at decompiled code, but actually run it, then they can just use print() anywhere to learn secret strings like api keys.

My current Solution:My project involves user accounts. So I am combining 2 ideas from my original post.

  1. The api key lives on a backend server
  2. the key to getting data from the backend server are the credentials entered by the user. This way a 'bad guy' running my flutter code is limited, best they can do is create an account and use the app. I can always limit the number of calls any one user can make, to limit abuse, as I would on a website.

api flutter dart

NEVER STORE API KEYS IN CLIENT SIDE!

Why? Lets take a look at the ways how one can "securely" store them client-sided.

  • Using secure_storage
  • Encrypting the stored api key (which needs to be decrypted afterwards)

Number of ways to retrieve the api key stored in client:

  • Root or Jailbreak your device to access secure storage
  • Reverse engineer your app to find out how the encrypted key could be decrypted

What to do instead:

Store your api key in a secure environment such as cloud functions or your own server. You could create your own rest api that sends the request to the target api. Another advantage this has it that it allows you to rate limit the amount of requests the user can make per day which reduces api cost.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last