How to securely store secret keys on react-native client side?

Question

Let\'s say i\'m building a react-native app with firebase, which assumes having secret key in app. Is it possible for someone to steal the key? If so, then how do i protect it?<

Answer 1

There's no 100% secure way to store anything secret on the device because you have no control over access to the source. The only way to guarantee security of your keys is to never have them on the device in the first place.

Any solution you find will have a flaw, illustrated quite nicely by this article by Michael Ramirez

You need to strike a balance of how secure you really need those keys to be.

For example on Android we store some of our keys we care less about for Google and other APIs in a res/values/secrets.xml string file, which is not committed to version control. It's easy for someone to strings out_app.api, but we've already decided to care less about securing those keys.

    OurApiKey

If you're working with ReactNative on Android & depending on the types of key you want to store, you could make use of the Android Keystore System using the Keystore API however I don't think this will work for storing Firebase keys.