Let's say i'm building a react-native app with firebase, which assumes having secret key in app. Is it possible for someone to steal the key? If so, then how do i protect it?
Asked
Active
Viewed 4,959 times
16
-
I have the same question. For example, how much secure is to use https://www.npmjs.com/package/react-native-oauth in React Native apps? – Broda Noel Nov 24 '16 at 02:03
-
Not sure, looking for the answers to this as well. Can you please start a bounty? I can't start a bounty for some reason on the UI. – Alexander Mills Feb 01 '17 at 21:58
-
2Storing the secret on device is never secure, no matter how much you obfuscate it. If your secret key must stay secret, put it behind a secure server. – jaws Apr 28 '17 at 21:06
1 Answers
8
There's no 100% secure way to store anything secret on the device because you have no control over access to the source. The only way to guarantee security of your keys is to never have them on the device in the first place.
Any solution you find will have a flaw, illustrated quite nicely by this article by Michael Ramirez
You need to strike a balance of how secure you really need those keys to be.
For example on Android we store some of our keys we care less about for Google and other APIs in a res/values/secrets.xml string file, which is not committed to version control. It's easy for someone to strings out_app.api, but we've already decided to care less about securing those keys.
<resources>
<string name="google_api_key">OurApiKey</string>
</resources>
If you're working with ReactNative on Android & depending on the types of key you want to store, you could make use of the Android Keystore System using the Keystore API however I don't think this will work for storing Firebase keys.
Rob
- 7,039
- 4
- 44
- 75