0

I am building a flluter application. I don't want to compromise my secret_key by putting it in the code, so I tried making a .env file and created an apk. Then I unzipped the apk and found my config file there. So now I am not doing that.

The next thing I tried is using --dart-define variable declarations to put my secret_key while building the app and I am accessing it using

const secret = String.fromEnvironment("secret_key");

Coming to the question, where do these variables go inside the dart code and is there a way to get them by reverse engineering. Basically is it safe to put my secret key this way?

Jagraj Singh
  • 3,291
  • 4
  • 12
  • 29
  • Yes its safe because `--dart-define` variable you need to define in build command and that is not saved any where in code at the time of build generation these keys used. – Er. Rakesh Prajapat May 27 '22 at 07:54
  • If your code needs `secret_key` at runtime, then it is not strictly safe. Anything your code can do, someone sufficiently determined can also do by examining your code. – jamesdlin May 27 '22 at 07:58
  • @jamesdlin what do you mean by that? I didn't get it. My use case is to call an API using that secret key that's it. without it, I can not call the API. – Jagraj Singh May 27 '22 at 15:31
  • I mean that what you're asking is, strictly speaking, impossible. If code running on a client needs a fixed secret to operate, the client needs access to the secret, and someone sufficiently determined will be able to extract it from client-side code. See [How to store a secret API key in an application's binary?](https://stackoverflow.com/questions/5525305/) – jamesdlin May 27 '22 at 16:05
  • Thanks, @jamesdlin. I got that. but what about `--dart-define` saving the variables which has no trace in code other than the binaries? – Jagraj Singh May 28 '22 at 08:01
  • Well, using `--dart-define` avoids needing to hard-code your secrets and make them plainly visible to anyone who can read your source code (which is good), but it won't help against someone reverse-engineering your program (which is impossible). – jamesdlin May 28 '22 at 09:34
  • so I can use that to at least avoid putting the key inside the code. – Jagraj Singh May 28 '22 at 10:33

0 Answers0