Protecting API keys in Flutter

#flutter #security #inthirtyseconds

It is always a fear that one day you might end up leaking your API key in a public git repository. In flutter is there are many ways of hiding the API key some are not working and some don't work properly in this article I will be showing you one way to work with API keys in flutter.

Let's see how we can do it

We will be using this package
If you are using it in a project with null safety

dependencies:
  flutter_dotenv: ^4.0.0-nullsafety.0

If you are using it in a project without null safety

dependencies:
  flutter_dotenv: ^3.1.0

then create a file in the root directory called .env

For those of you who don't know what a .env file is it is basically a file in which we store secret variables.

In the .env file you can add your secret API keys in this format

SUPER_SECRET_API_KEY=This is a super secret API key 
THIS_CAN_BE_CALLED_ANYTHING=This here can be anything like ut4ihyeFn49

Important: Never commit these .env files in your version control.
If you are using git version control system add the .env file to .gitignore

After making this .env file add it as an asset in the pubspec.yaml

assets:
  - .env

Then run

flutter pub get

In your main.dart file load the .env file

import 'package:flutter_dotenv/flutter_dotenv.dart' as DotEnv;

Future main() async {
  await DotEnv.load(fileName: ".env");
  //...runapp
}

Now in your code you can load the variables from the .env file anywhere like this.

import 'package:flutter_dotenv/flutter_dotenv.dart';
env['SUPER_SECRET_API_KEY'];

That's it, thanks for reading hope this short article helps!

Top comments (8)

Paulo Renato • Apr 26 '21 • Edited

It is always a fear that one day you might end up leaking your API key in a public git repository.

Thanks for writing down how developers can avoid this common pitfall :)

Now I would like to recommend you to read my answer in StackOverflow to the question How to protect Flutter app from reverse engineering to understand the other threats involved with using an API key in a mobile app.

My answer is split in sections:

How easy can it be to extract an API key from a Mobile APP?
Defending against Reverse Engineering
The Difference Between WHO and WHAT is Accessing the API Server
Lockdown the API server to the Mobile App

Found one more answer I gave in StackOverflow to a question with the title Securely Saving API Keys In Android (flutter) Apps, that is also split in sections:

How Hard Can It Be To Extract An Api Key?
- Extract The Api Key With Static Binary Analysis
- Extract The Api Key With A Mitm Attack
- Extract With Instrumentation Framework
Storing Api Keys Encrypted In The Mobile App?
Firebase And Safetynet For The Rescue?
Proxy Or Backend Server
Possible Better Solution

Feel free to ask here questions about any doubt you may have after reading it.

BC • Apr 23 '21

This won’t make your api key safe, still very easy to get it, for example, hacker can just unzip you android package, then your asset folder will show up, next thing is just read your .env file content

Owen Melbourne • Aug 2 '21

You'd assume the "build" version of the ENV will only contain the variables that are needed to run the app, rather than everything you might have like signing entitlements etc

Aadityasiva • Apr 23 '21 • Edited

Yes but if you are putting it on Github public repo it is at least safer.

ArchenROOT • Oct 18 '21

Using envars is common practice of how to inject security things inside some app code, its not flutter specific. But still this is not solving the core problem. How will I deliver the service account/api keys to mobile app to use it in secure way when someone just download it from google play store?