0

I'm developing an app in Flutter using Back4App as the backend, the app will be developed for android and ios. To initialize the backend when the app starts, I need to pass in an application key and application client key, both which should be kept confidential. How should I go about storing these?

void main() async {
  WidgetsFlutterBinding.ensureInitialized();

  const keyApplicationId = 'super_secret_app_id';
  const keyClientKey = 'super_secret_client_key';
  const keyParseServerUrl = 'super_secret_parse_server_url';
  const liveQueryURL = "super_secret_livequery_url";

  await Parse().initialize(keyApplicationId, keyParseServerUrl,
      clientKey: keyClientKey, liveQueryUrl: liveQueryURL, debug: true);

  runApp(MaterialApp(
    title: "Super Cool App",
    initialRoute: '/splashScreen',
    builder: BotToastInit(),
    navigatorObservers: [BotToastNavigatorObserver()],
    routes: {
      // login routes and account creation
      '/login': (context) => LoginPage(),
      '/splashScreen': (context) => SplashScreen(),
    },
  ));
}

From looking around I've seen that environment variables may be the way to go, but this is my first attempt at creating and deploying an app to android and ios so I'm not sure how to configure environment variables, or at which step I should be doing so.

OBurnsy22
  • 29
  • 3

1 Answers1

0

The app credentials can be easily retrieved by using reverse engineering.

That's the reason there are different keys and not only the master key.

The only key you must make sure you are not using on the front end is the Master Key, as this one can bypass any ACL/CLP rules you might have set.

As you mentioned back4app, please, check the following guide. There are some security tips you can follow:

https://www.back4app.com/docs/security/parse-security

Charles
  • 531
  • 2
  • 11