How to securely store secret keys on react-native client side?

前端 未结 1 1679
旧时难觅i
旧时难觅i 2021-02-05 13:44

Let\'s say i\'m building a react-native app with firebase, which assumes having secret key in app. Is it possible for someone to steal the key? If so, then how do i protect it?<

相关标签:
1条回答
  • 2021-02-05 13:45

    There's no 100% secure way to store anything secret on the device because you have no control over access to the source. The only way to guarantee security of your keys is to never have them on the device in the first place.

    Any solution you find will have a flaw, illustrated quite nicely by this article by Michael Ramirez

    You need to strike a balance of how secure you really need those keys to be.

    For example on Android we store some of our keys we care less about for Google and other APIs in a res/values/secrets.xml string file, which is not committed to version control. It's easy for someone to strings out_app.api, but we've already decided to care less about securing those keys.

    <resources>
        <string name="google_api_key">OurApiKey</string>
    </resources>
    

    If you're working with ReactNative on Android & depending on the types of key you want to store, you could make use of the Android Keystore System using the Keystore API however I don't think this will work for storing Firebase keys.

    0 讨论(0)
提交回复
热议问题