0

I am building a flutter android application for an e-commerce website that uses woocommerce. For performing crud operations with the woocommerce API it provides consumer_key and consumer_secret. Right now, my application just has those written into the source code. However, I have come to know that an attacker can de-compile my app to get the keys.

Googling about it, I found these -

  1. People saying limit authentication to the servers but how is that possible in this case?
  2. Code obfuscation which still leaves the keys in the app
  3. flutter_secure_storage package wont help because I would have to store it anyway which means it still ends up in the code.

Some advice or solution to this problem is what I am looking for here. Is there a way around this?

Rishav
  • 11
  • 2
  • 1
    Possibly, duplicate for https://stackoverflow.com/questions/55663207/storing-api-credentials-in-a-flutter-application – Atamyrat Babayev Aug 25 '20 at 16:52
  • I dont think so. I already mentioned flutter_secure_storage wont help because I am not getting the keys as a http response. These are api keys that are needed to access the rest api. If i store them securely through code they would be in the source code anyway – Rishav Aug 25 '20 at 17:19
  • Read the comments from that source. Your problem is exactly the same. – Rod Aug 25 '20 at 17:21
  • I am sorry but I dont see what you are referring to. Yes its the same problem. Comments mention a login system with which we are back to square one. And another answer mentions using aws lambda or other servers. Is that it? – Rishav Aug 25 '20 at 17:33
  • ok, please read this one: https://medium.com/@sokrato/storing-your-secret-keys-in-flutter-c0b9af1c0f69 – Atamyrat Babayev Aug 25 '20 at 18:03
  • "The most secure way to keep your keys as secret, is to NEVER put them in your app." - from that article)) – Atamyrat Babayev Aug 25 '20 at 18:03
  • I already went through that article. I am not looking for protecting my keys in a public repo. I want to protect them from someone if he de-compiles the app. If I never put them in my app they are secure, which is what I want to achieve. What option is there for me? – Rishav Aug 25 '20 at 18:10
  • What if you'll save your keys somewhere deep in your code and then use obfuscation of your code? I didn't find anything about how to safely save your keys. Link to obfuscation: https://flutter.dev/docs/deployment/obfuscate – Atamyrat Babayev Aug 25 '20 at 18:39
  • And in addition, it's too hard to decompile your app if it's not in debug mode – Atamyrat Babayev Aug 25 '20 at 18:42
  • Yes obfuscation is one of the options I was looking into. Thanks anyway. I will look into the part about the difficulty of decompilation. – Rishav Aug 25 '20 at 20:50
  • Please, post your answer with your search results to the next searchers)) – Atamyrat Babayev Aug 26 '20 at 06:09

0 Answers0