DEV Community

loading...
Cover image for Protecting API keys in Flutter

Protecting API keys in Flutter

Aadityasiva
๐Ÿ‘‹ I am Aadityasiva Sabarinathan a cross platform developer and a graphic designer. I develop for mobile, desktop, web and packages for other developers.
ใƒป2 min read

It is always a fear that one day you might end up leaking your API key in a public git repository. In flutter is there are many ways of hiding the API key some are not working and some don't work properly in this article I will be showing you one way to work with API keys in flutter.

Let's see how we can do it

We will be using this package
If you are using it in a project with null safety

dependencies:
  flutter_dotenv: ^4.0.0-nullsafety.0
Enter fullscreen mode Exit fullscreen mode

If you are using it in a project without null safety

dependencies:
  flutter_dotenv: ^3.1.0
Enter fullscreen mode Exit fullscreen mode

then create a file in the root directory called .env

For those of you who don't know what a .env file is it is basically a file in which we store secret variables.

In the .env file you can add your secret API keys in this format

SUPER_SECRET_API_KEY=This is a super secret API key 
THIS_CAN_BE_CALLED_ANYTHING=This here can be anything like ut4ihyeFn49
Enter fullscreen mode Exit fullscreen mode

Important: Never commit these .env files in your version control.
If you are using git version control system add the .env file to .gitignore

After making this .env file add it as an asset in the pubspec.yaml

assets:
  - .env
Enter fullscreen mode Exit fullscreen mode

Then run

flutter pub get
Enter fullscreen mode Exit fullscreen mode

In your main.dart file load the .env file

import 'package:flutter_dotenv/flutter_dotenv.dart' as DotEnv;

Future main() async {
  await DotEnv.load(fileName: ".env");
  //...runapp
}
Enter fullscreen mode Exit fullscreen mode

Now in your code you can load the variables from the .env file anywhere like this.

import 'package:flutter_dotenv/flutter_dotenv.dart';
env['SUPER_SECRET_API_KEY'];
Enter fullscreen mode Exit fullscreen mode

That's it, thanks for reading hope this short article helps!

Discussion (5)

Collapse
exadra37 profile image
Paulo Renato • Edited

It is always a fear that one day you might end up leaking your API key in a public git repository.

Thanks for writing down how developers can avoid this common pitfall :)

Now I would like to recommend you to read my answer in StackOverflow to the question How to protect Flutter app from reverse engineering to understand the other threats involved with using an API key in a mobile app.

My answer is split in sections:

  • How easy can it be to extract an API key from a Mobile APP?
  • Defending against Reverse Engineering
  • The Difference Between WHO and WHAT is Accessing the API Server
  • Lockdown the API server to the Mobile App

Found one more answer I gave in StackOverflow to a question with the title Securely Saving API Keys In Android (flutter) Apps, that is also split in sections:

  • How Hard Can It Be To Extract An Api Key?
    • Extract The Api Key With Static Binary Analysis
    • Extract The Api Key With A Mitm Attack
    • Extract With Instrumentation Framework
  • Storing Api Keys Encrypted In The Mobile App?
  • Firebase And Safetynet For The Rescue?
  • Proxy Or Backend Server
  • Possible Better Solution

Feel free to ask here questions about any doubt you may have after reading it.

Collapse
0xbf profile image
Bo

This wonโ€™t make your api key safe, still very easy to get it, for example, hacker can just unzip you android package, then your asset folder will show up, next thing is just read your .env file content

Collapse
aadityasiva profile image
Aadityasiva Author • Edited

Yes but if you are putting it on Github public repo it is at least safer.

Collapse
theimpulson profile image
Aayush Gupta

Nice recommendation, thanks!

Collapse
aadityasiva profile image
Aadityasiva Author

Your welcome!