Sensitive data in plain text.

[wemersonrv]

Hello.

When adding sensitive data as tokens, keys, etc; can i add them in plain text in .env? Or need to encode or encrypt this kind of information?

In short: if i add a Google Maps Key in .env, It's possível to edit/decompile the app and recover It as a String or because using .env it's not possível?

[ghenry]

I use https://pub.dev/packages/flutter_secure_storage for that type of thing.

[marianoarga]

I use https://pub.dev/packages/flutter_secure_storage for that type of thing.

That package is for encrypting the plain text input, on runtime, as far as I understand is not applicable for what @wemersonrv asked.

[FickleLife]

Just wondering if there's an "official" answer to @wemersonrv question?

[jpeiffer]

There's no "perfect" solution. The problem is the client is deployed in an environment outside your control, and must contain all the information needed to access protected resources.

The best answer is some sort of user authentication, but that doesn't work for things like Google Maps keys and other APIs that don't have a user.

Beyond that, you can encrypt the sensitive data. Then you either need to put the encryption key in the app, or need to get it from an (intercept-able) API call.

It ultimately boils down to how frustrating do you want to make it to get the key. For Google Maps, it's probably fine as is. For something much more sensitive, you can use a "calculated" key and create the key through an algorithm to make it more difficult to find and extract. But nothing is 100% attack proof because you're always giving the attacker everything they need if it's part of your build.

There's a deeper answer in this SO thread:
https://security.stackexchange.com/questions/100129/what-to-do-when-you-can-t-protect-mobile-app-secret-keys

[java-james]

Related to #51 see discussion