Question on security

[FickleLife]

I have a general question re security using env variables with this package - If semi important credentials are stored in environment variables within a flutter app, how "secure" is it?

• What would it take for the end user to view them? (they're only used in backend interactions with services)
• Would it require a decompile/reverse enginerring of the app?
• Is there a way to harden to resist attack?

[alexrintt]

What would it take for the end user to view them?

I'll quote this SO answer:

From the moment the private key leaves the backend server, it's not anymore securely stored, and it's now up for grabs by anyone with the skills and knowlodge to use the plethora of open source and paid tools for reverse engineering static binaries or even to introspect them during run-time, and change their behaviour or extract data, aka your private key.

There no such thing as safe when we talk about client-sided applications. That's the nature of client-side.

This is why client-sided apps can not use private keys, only public ones.

---

Would it require a decompile/reverse enginerring of the app?

Yes, but this is not hard as it seems, there are a plenty of reverse engineering tools available on the market, free and paid ones.

---

Is there a way to harden to resist attack?

Yes, take a look at a general topic called code obfuscation https://en.wikipedia.org/wiki/Obfuscation_(software).

Now, specific for Dart: https://docs.flutter.dev/deployment/obfuscate.

But quoting the Flutter docs:

It is a poor security practice to store secrets in an app.

---

• https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps.
• https://stackoverflow.com/questions/59556927/how-to-secure-secret-keys-in-android-app.
• https://guides.codepath.com/android/storing-secret-keys-in-android.

---

I am a "little bit" late, but better late than never, so maybe it can help someone in the future with the same questions.