Problem: expo OTA bundle contains plain secrets.
I have a question regarding "what is the right way to fix it".
We have a expo react-native app written in typescript. This app call an API endpoints, after initial auth and OAuth2 token retrival (not that important).
API auth requires username/password, those are stored as environmental variables e.g in .env file.
Then secrets are used in code to build a request in the following way:
import { USER, PASSWORD, API_URL } from "@env";
....
private async _authenticate() {
const body = `username=${USER}&password=${PASSWORD}`;
const response = ......
So far so good.
But since we like the idea of OTA and expo combination, we use
expo export --public-url $EXPO_UPDATE_URL.
Bundle is generated and then placed on server.
But close inspection reveals that the bundle (publicly available for mobile app to download) contains raw,plain passwords.
That seems like a massive security flaw.
Are we doing it "the wrong" way? How should we fix it to at least obfuscate expo bundle?
Thanks!
