Your API Keys are NOT SAFE in a native app 🤬
HTML-код
- Опубликовано: 12 июн 2023
- Can you use secret keys in native apps? What happens with API keys in React Native? Let me show you how fast I can get to the source of your app, and how you can make your app more secure.
🪐 Become a stellar React Native Dev: galaxies.dev/reactnative
🔥 The fastest way to learn Ionic: ionicacademy.com/
#############################
❤️ You can also find me on:
Instagram: / simongrimm_
Twitter: / schlimmson
Facebook: / devdactic
TikTok: / simongrimm_
Or join the Simonics Facebook group:
/ simonics
############################# 
Наука
Learn React Native FAST by becoming a member of Galaxies.dev today [FREE] galaxies.dev/reactnative
I read on react native docs that .env are not secure, they are being stored unencrypted in memory so they can be easily read with debuggers.
My 3 favorite setups are: 1) Store in the code with API encrypted and use backend for decrypt with for example AWS KMS. 2) Use secret manager behind a proxy like an AWS http gateway to get the API and implement functions in the front end. Or 3) Use proxy like an http gateway with user authorization that will trigger functions in the backend like AWS Lambda or Firebase functions, so if you see the code you will just see a fetch to an URL you can't access.
In telegram
This can have an awesome follow up video about implementing that proxy in nodejs with a ionic project! Please do that!!
Great vid, man, thx so much for the content
Glad you enjoy it!
Hello simon , Hope you are well . I want to know that , Can i create the Uploading progessbar (which one give me the uploading progress % )by using this plugin ? Capacitor local notification.
Couldn't you store the api key or any encryption keys the app might be issued in Keychain?
Pretty awesome and informative. I have learned about secret managers, didn't implement any yet. but I think they will be kind of replacement for .env file. What do you think?
Haven't used them but I think they could work!
Excellent reminder to be aware! Question - how does the environment files (like in Angular) protect the API keys? I assume a hacker can still get the API key by monitoring the network HTTP call to the API (like you can do in Chrome). Is the env file only used to prevent committing the API keys to github? Thanks!
The Angular env is a pure naming convention - it’s actually like any other TS file and bundle with your app. The name is confusing, it is not related to a .env file used in Server environments!
@@galaxies_dev That IS confusing! I assumed (was hoping) that some magic was happening in terms of security with Angular but it didn't seem like anything was happening. Other than the advice to add the .env files to gitignore.
@@galaxies_dev So angular env files are not secure to store API keys right? They can still find it?
Could you do a video for point 1-4 very interesting
Pretty interesting... What would be the best way to store api keys and be hidden in the bundle?
Don't have them at all in any client side code :)
goated vid wallahi
Was this not the same reason flash & AIR was crucified?
How did you get vscode button in Finder?
yeah, how?
Check out this way: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/
What you think of expo secure store for RN app?
It's good - but won't help for stuff like API keys as you would still have to add them to your codebase and write them to secure storage. More useful for stuff like auth tokens!
I think my default AWS amplify is secure in this way
That Visual Studio code icon tho! How?
I think I used a Github script a while ago, but here's a tutorial how you can add a simple automation to make it work: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/
@@galaxies_dev Cool, thanks mate!
Thank you for the good video.
Currently, I only use the server API address(domain).The .env file is in use.
Thinking of using the server profile (dev or prod)
getting the API address from the mysql and dynamically assigning it to react-native-config.
What do you think?
I haven't done that, but only revealing a URL shouldn't be a problem in general!
@@galaxies_dev What about secret keys and what are your thoughts about this react native keychain libraries available everywhere?
This is what imposter syndrome i have thanks react native is making me happy and sad at same time
Progurd left the chat
[nervous laugh] ha..ha...ha.... of course it is....
😎
Like, can't google fix this mess themself?
they have: Android Play Integrity API, its just that Expo and react native do not offer you an easy way to call Play Integrity API from your app. I'm researching this my self, and its not easy to find much information how to setup react native app with "Android Play Integrity API" which will help you protect your backend being abused by impostors pretending to be your app
Hi Simon, is there an email I contact you at