It is always a fear that one day you might end up leaking your API key in a public git repository. In flutter is there are many ways of hiding the API key some are not working and some don't work properly in this article I will be showing you one way to work with API keys in flutter.
Let's see how we can do it
We will be using this package
If you are using it in a project with null safety
dependencies:
flutter_dotenv: ^4.0.0-nullsafety.0
If you are using it in a project without null safety
dependencies:
flutter_dotenv: ^3.1.0
then create a file in the root directory called .env
For those of you who don't know what a
.env
file is it is basically a file in which we store secret variables.
In the .env
file you can add your secret API keys in this format
SUPER_SECRET_API_KEY=This is a super secret API key
THIS_CAN_BE_CALLED_ANYTHING=This here can be anything like ut4ihyeFn49
Important: Never commit these .env files in your version control.
If you are using git version control system add the.env
file to.gitignore
After making this .env
file add it as an asset in the pubspec.yaml
assets:
- .env
Then run
flutter pub get
In your main.dart
file load the .env
file
import 'package:flutter_dotenv/flutter_dotenv.dart' as DotEnv;
Future main() async {
await DotEnv.load(fileName: ".env");
//...runapp
}
Now in your code you can load the variables from the .env
file anywhere like this.
import 'package:flutter_dotenv/flutter_dotenv.dart';
env['SUPER_SECRET_API_KEY'];
That's it, thanks for reading hope this short article helps!
Top comments (8)
Thanks for writing down how developers can avoid this common pitfall :)
Now I would like to recommend you to read my answer in StackOverflow to the question
How to protect Flutter app from reverse engineering
to understand the other threats involved with using an API key in a mobile app.My answer is split in sections:
Found one more answer I gave in StackOverflow to a question with the title
Securely Saving API Keys In Android (flutter) Apps
, that is also split in sections:Feel free to ask here questions about any doubt you may have after reading it.
This wonโt make your api key safe, still very easy to get it, for example, hacker can just unzip you android package, then your asset folder will show up, next thing is just read your .env file content
You'd assume the "build" version of the ENV will only contain the variables that are needed to run the app, rather than everything you might have like signing entitlements etc
Yes but if you are putting it on Github public repo it is at least safer.
Using envars is common practice of how to inject security things inside some app code, its not flutter specific. But still this is not solving the core problem. How will I deliver the service account/api keys to mobile app to use it in secure way when someone just download it from google play store?
No use.
Still showing up when do decompile
Your welcome!