I am developing an app with Dart Flutter and I will publish this app in stores. So thousands of people will use this app.
I set up a notification system with OneSignal for this application.But if this app's APK file somehow gets access and is decrypted, the OneSignal key is also found.
Finding the key can have dire consequences.
What measures can I take for this? How can I hide the key?
CodePudding user response:
Generally, you should not use any sensitive data in your application. Most of the keys provided to Flutter are Client
keys, which means it's less destructive than server
aka (secrets).
As I have checked OneSignal,
they provide only Client_ID
to Flutter SDK which is ok to keep, and the REST_KEY
is supposed to be used in the backend and must be securely protected.
You may have two ways to protect your sensitive data:
- Use services such as Firebase Remote Config and provide the key. This is technically a safe way to provide keys.
- Use a backend API you and your team build and proxy all requests from your Flutter application via that. A Function could be a serverless function only to proxy your request protected for your application, or you can do it in the backend of your choice.
You can read more here too.