Your API Keys are NOT SAFE in a native app 🤬

I read on react native docs that .env are not secure, they are being stored unencrypted in memory so they can be easily read with debuggers.
My 3 favorite setups are: 1) Store in the code with API encrypted and use backend for decrypt with for example AWS KMS. 2) Use secret manager behind a proxy like an AWS http gateway to get the API and implement functions in the front end. Or 3) Use proxy like an http gateway with user authorization that will trigger functions in the backend like AWS Lambda or Firebase functions, so if you see the code you will just see a fetch to an URL you can't access.

pietrodeveloper

This can have an awesome follow up video about implementing that proxy in nodejs with a ionic project! Please do that!!

rgarafulicm

Frida is a tool used in mobile app security testing. It allows developers and security researchers to inject their own scripts into running apps on a phone. This helps them understand how the app works internally, find vulnerabilities, and test security measures. For example, Frida can be used to see how an app processes data, modify the app's behavior, or bypass security features like root detection.

Blocking Frida can make it harder for attackers to analyze or modify your app, but it isn't foolproof. Experienced attackers can often find ways to bypass these blocks. They might:

1. Use modified versions of Frida that are harder to detect.

2. Employ other tools or techniques to achieve similar goals.

3. Obfuscate their use of Frida to avoid detection.

While blocking Frida can improve your app's security, it's important to use it alongside other security measures, such as code obfuscation, encryption, and regular security testing, to provide more comprehensive protection.

It’s futile no matter what. Even if you implement Frida or root detection on your app (it is possible to bypass). It’s attackable for those who are experienced attackers.

silientlips

Great vid, man, thx so much for the content

dalanxd

Was this not the same reason flash & AIR was crucified?

lavenduct

Couldn't you store the api key or any encryption keys the app might be issued in Keychain?

chrgeorgeson

Pretty interesting... What would be the best way to store api keys and be hidden in the bundle?

milothoxha

That Visual Studio code icon tho! How?

tclark

Excellent reminder to be aware! Question - how does the environment files (like in Angular) protect the API keys? I assume a hacker can still get the API key by monitoring the network HTTP call to the API (like you can do in Chrome). Is the env file only used to prevent committing the API keys to github? Thanks!

Meliovation

Pretty awesome and informative. I have learned about secret managers, didn't implement any yet. but I think they will be kind of replacement for .env file. What do you think?

irfanbabar

I think my default AWS amplify is secure in this way

abstractionGod

Soo is .env safe? like if i build app with .env it will obv still have to take those secret keys and inject them into the bundle which by what you are saying they are "easily" accesable still by just unpacking? :D

MrAmG

How did you get vscode button in Finder?

ThomazMartinez

Could you do a video for point 1-4 very interesting

tnhtpdv

Hello simon, Hope you are well . I want to know that, Can i create the Uploading progessbar (which one give me the uploading progress % )by using this plugin ? Capacitor local notification.

FahimAhmed-gbzo

This is what imposter syndrome i have thanks react native is making me happy and sad at same time

edge

What you think of expo secure store for RN app?

swp

[nervous laugh] ha..ha...ha.... of course it is....

HackHeyner

Like, can't google fix this mess themself?

prifysports

Thank you for the good video.
Currently, I only use the server API address(domain).The .env file is in use.

Thinking of using the server profile (dev or prod)
getting the API address from the mysql and dynamically assigning it to react-native-config.

What do you think?

try-new-game