Open DonWasyl opened 3 years ago
ngxingyu
commented
3 years ago Any information that you want to keep private like passwords or API keys that are not meant to be shared should not be bundled within your apk since it can definitely be recovered, so I believe this is intended.
java-james
commented
3 years ago Environment variables bundled in a front end framework/application should not contain overly sensitive information. Using .env and injecting at build time is one up on committing API keys for example to a git repository where they may be able to be spotted out and exploited by crawlers and prying eyes...however having any sensitive info in the front end often regardless of the framework will not be very secure as the info is visible in the browser/devtool/bundled-code etc.
A responsible use of .env in the front end would be things such as non vulnerable API keys, API base urls & ports which you can switch with different .envs at build time depending on the environment you want the build to be for. You should consider moving any venerable API keys etc to a secure backend
Hi I wanted to keep some API keys in .'env' files, but I noticed that I am able to open the app package via android file manager (Solid Explorer)... My question.. is was intended?