DEV Community

Cover image for Protecting API keys in Flutter
Aadityasiva
Aadityasiva

Posted on

Protecting API keys in Flutter

It is always a fear that one day you might end up leaking your API key in a public git repository. In flutter is there are many ways of hiding the API key some are not working and some don't work properly in this article I will be showing you one way to work with API keys in flutter.

Let's see how we can do it

We will be using this package
If you are using it in a project with null safety

dependencies:
  flutter_dotenv: ^4.0.0-nullsafety.0
Enter fullscreen mode Exit fullscreen mode

If you are using it in a project without null safety

dependencies:
  flutter_dotenv: ^3.1.0
Enter fullscreen mode Exit fullscreen mode

then create a file in the root directory called .env

For those of you who don't know what a .env file is it is basically a file in which we store secret variables.

In the .env file you can add your secret API keys in this format

SUPER_SECRET_API_KEY=This is a super secret API key 
THIS_CAN_BE_CALLED_ANYTHING=This here can be anything like ut4ihyeFn49
Enter fullscreen mode Exit fullscreen mode

Important: Never commit these .env files in your version control.
If you are using git version control system add the .env file to .gitignore

After making this .env file add it as an asset in the pubspec.yaml

assets:
  - .env
Enter fullscreen mode Exit fullscreen mode

Then run

flutter pub get
Enter fullscreen mode Exit fullscreen mode

In your main.dart file load the .env file

import 'package:flutter_dotenv/flutter_dotenv.dart' as DotEnv;

Future main() async {
  await DotEnv.load(fileName: ".env");
  //...runapp
}
Enter fullscreen mode Exit fullscreen mode

Now in your code you can load the variables from the .env file anywhere like this.

import 'package:flutter_dotenv/flutter_dotenv.dart';
env['SUPER_SECRET_API_KEY'];
Enter fullscreen mode Exit fullscreen mode

That's it, thanks for reading hope this short article helps!

Top comments (8)

Collapse
 
exadra37 profile image
Paulo Renato • Edited

It is always a fear that one day you might end up leaking your API key in a public git repository.

Thanks for writing down how developers can avoid this common pitfall :)

Now I would like to recommend you to read my answer in StackOverflow to the question How to protect Flutter app from reverse engineering to understand the other threats involved with using an API key in a mobile app.

My answer is split in sections:

  • How easy can it be to extract an API key from a Mobile APP?
  • Defending against Reverse Engineering
  • The Difference Between WHO and WHAT is Accessing the API Server
  • Lockdown the API server to the Mobile App

Found one more answer I gave in StackOverflow to a question with the title Securely Saving API Keys In Android (flutter) Apps, that is also split in sections:

  • How Hard Can It Be To Extract An Api Key?
    • Extract The Api Key With Static Binary Analysis
    • Extract The Api Key With A Mitm Attack
    • Extract With Instrumentation Framework
  • Storing Api Keys Encrypted In The Mobile App?
  • Firebase And Safetynet For The Rescue?
  • Proxy Or Backend Server
  • Possible Better Solution

Feel free to ask here questions about any doubt you may have after reading it.

Collapse
 
bitecode profile image
BC

This wonโ€™t make your api key safe, still very easy to get it, for example, hacker can just unzip you android package, then your asset folder will show up, next thing is just read your .env file content

Collapse
 
owenmelbz profile image
Owen Melbourne

You'd assume the "build" version of the ENV will only contain the variables that are needed to run the app, rather than everything you might have like signing entitlements etc

Collapse
 
aadityasiva profile image
Aadityasiva • Edited

Yes but if you are putting it on Github public repo it is at least safer.

Collapse
 
archenroot profile image
ArchenROOT

Using envars is common practice of how to inject security things inside some app code, its not flutter specific. But still this is not solving the core problem. How will I deliver the service account/api keys to mobile app to use it in secure way when someone just download it from google play store?

Collapse
 
cahyowhy profile image
cahyo wibowo

No use.
Still showing up when do decompile

Collapse
 
aadityasiva profile image
Aadityasiva

Your welcome!