Ultimate Guide for API key management in Flutter Projects

Slide: Introduction of Topic

News on API Keys

• Government - US Treasure hacked by filtered API keyunauthorized entities Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents

  • BeyondTrust customers hit by wave of attacks linked to compromised API key

• AI - Deepseek API keys filtered LLM Hijackers Quickly Incorporate DeepSeek API Keys

• Money/ Coinbase security issues / Not Rotating your keys / legacy API Keys - Coinbase Security Issues: The Risks of Exposed Legacy API Keys

  • $25 million stolen Hacker Uses Compromised API Keys to Steal $25M from Kronos Research

Section 2 - Understanding API Keys Common Pitfalls and How to Avoid Them

Slide: Common Pitfalls and How to Avoid Them / best practices

Some common mistakes include hardcoding API keys in the source code and not rotating them regularly.

Managing API keys effectively is crucial for maintaining the security and functionality of your applications. Here are some best practices to follow:

1. Secure Storage: Store API keys securely to prevent unauthorized access. Avoid hardcoding them in your source code. Instead, use environment variables, encrypted databases, or dedicated secrets management services A.

2. Access Control: Limit access to API keys within your organization. Implement the principle of least privilege, ensuring that only authorized personnel can retrieve and use the keys A.

3. Usage Monitoring: Keep track of how and where API keys are used. Monitoring helps identify unusual patterns that might indicate a security issue or a breach A.

4. Rotation and Renewal: Regularly update or rotate API keys, especially if there's a suspicion of compromise or as a routine security practice. This minimizes the window of opportunity for any misuse if a key is compromised A.

5. Encryption: Always encrypt API keys, both at rest and in transit. This ensures that even if the keys are intercepted, they cannot be easily used A.

6. Auditing and Monitoring: Conduct regular audits and monitoring of API key usage to detect and respond to any unauthorized access or anomalies A.

7. Key Generation: Generate API keys that are unique, random, and non-guessable. Use alphanumeric and special characters to enhance security B.

8. User Education: Educate users about the importance of API key security and the best practices for handling them. Inform them that API keys should be treated like passwords and stored securely B.

---

Section 3 - API Key Management in Development

Slide: DO NOT EVER

• Committing a secret key to version control, making it visible to everyone on the Internet 🤯

• Forgetting to obfuscate your API keys, making it easier for attackers to reverse engineer your app and extract the keys 🛠

• add to a gitignore file

1. Hard-coding the key inside a Dart file

2. Passing the key using --dart-define

Compiling and running the app with --dart-define

To mitigate risk, we can obfuscate our Dart code when we make a release build (more on this below).

New in Flutter 3.7: use --dart-define-from-file

Using dart defines inside launch.json in VSCode

Note about Obfuscation

• Obfuscating Dart code

How to securely share API keys with other team members?

 1Password CLI 
Large organizations often have their own solutions for managing secrets. So if you are setting up your own project and making architecture decisions, 1Password CLI is an option I would recommend, though you should check with your team if a solution is already in use or preferred. This is where the need for documentation shines to keep projects running smoothly, specially as your project (and team) scale

---

Section 4 - API Key Management in Production

client app --> (auth) server --> API.

Slide 5: Production Best Practices

API Key Management in Production

Source: Production Security

Firebase Secret Manager and Firebase Functions

Detailed Tutorial for Firebase and Secret Manager, option 4
Secret Manager tutorial stackOverflow

Slide: Best Practices in Production

• Secure Storage Solutions: Utilize secure cloud services or key vaults to manage your API keys.

Create a Firebase project
Add Firebase to your Flutter app

---

Section 5 - Monitoring and Rotating API Keys

Slide 7: Monitoring and Rotating Keys

Source: Key Rotation Strategies

---

Section 6 - Other Tools and Libraries

Source: API Management Tools

1. Flutter Secure Storage: A library that provides secure storage for sensitive data, such as API keys. It uses the platform's secure storage mechanisms (Keychain on iOS and Keystore on Android).

   • Flutter Secure Storage

2. Envify: A tool for managing environment variables in Flutter projects. It helps you keep API keys and other sensitive information out of your source code.

   • Envify

3. Dotenv: A library that loads environment variables from a .env file. It's useful for managing API keys and other configuration settings.

   • Dotenv (poiint to Andrea Bizoto tutorial for more information on how to implement )

4. Firebase Remote Config: A service that allows you to store and retrieve configuration settings, including API keys, from a remote server. It provides a secure way to manage and update your keys without redeploying your app.

   1. => Khan's example => Puf, regarding using Firebase Remote Config for API keys
   2. Firebase Remote Config

5. AWS Secrets Manager: A service that helps you protect access to your applications, services, and IT resources without the upfront cost and complexity of managing your own hardware security module (HSM) infrastructure.

   • AWS Secrets Manager

6. Azure Key Vault: A cloud service for securely storing and accessing secrets, such as API keys, passwords, and certificates. It integrates well with Flutter projects hosted on Azure.

   • Azure Key Vault

7. Google Cloud Secret Manager: A secure and convenient way to store API keys and other secrets. It integrates with Google Cloud services and provides fine-grained access control.

   • Google Cloud Secret Manager

8. Vault by HashiCorp: An open-source tool for securely managing secrets and protecting sensitive data. It provides a unified interface to access secrets across different environments.

   • Vault by HashiCorp

---

Section 7 - Conclusion and Takeaways

Recap of key points Final thoughts and best practices

• During development - you can afford to make some quick decisions to continue development. If you are building a demo or proof of concept, reaching to the cloud might be beyond the scope of your project. As long as you have a plan in place before any deployments. AND whatever you do, have your systems in place so you NEVER commit your keys and other sensitive data to your repository.

• Apps in Production - Depending on the project, sensitivity of the data and how seasoned and/or large your development team is; Sometimes it is best to do things the right way form the beginning. client => (auth) server => client

• Rotate your keys!

How to reach me

Valeria Durán Ruiz Contact Information

TechViolet Software and more to come!
Keep building with Flutter and supporting our amazing Flutteristas community!