search

java-james / flutter_dotenv

Loads environment variables from `.env`.
https://pub.dartlang.org/packages/flutter_dotenv
MIT License
209 stars 46 forks source link

Inquiries about security issues #73

Open Jay-flow opened 1 year ago

Jay-flow commented 1 year ago

I happened to read the blog post.

https://systemweakness.com/why-not-to-use-dotenv-on-flutter-5d3a07abc971

According to this article, the .env file appears to be readable. I'm storing key security information here. Is there a security problem depending on the blog post? I wonder if it's reliable or if there's a security problem, how can you secure it?

java-james commented 1 year ago

Thanks for raising the concern. Please see https://github.com/java-james/flutter_dotenv/issues/51#issuecomment-1040908470 for a related discussion on this. In short, you shouldn't use .env on the client side to store sensitive data. Please get back to me if we are missing a point here, especially if you have something in mind we may have not thought of yet.

Jay-flow commented 1 year ago

Thank you for your comment.

Is there an alternative to how sensitive data is managed?

I would appreciate it if other people could suggest a good idea.