To deploy an expo app with eas that needs access to an api key for googlemaps, you have to specify it in the app.json/app.config.js, but that raises some security issues for me. is anyone that has access to my app can read that file and get my key ?
If the answer is yes, how can i secure it ? is it possible to dynamically set it ?
thank you.
is anyone that has access to my app can read that file and get my key ?
yes, this is also true for any android/ios app (not only react-native) and website that is using google maps.
how can i secure it ?
you can’t, if something is client side it can’t be secured.
is it possible to dynamically set it ?
I’m not sure in general for android and iOS apps, but not in a managed expo project. How setting that dynamically would make it more secure?
Hello, thank you for your response.
by Dynamically setting it i meant not setting the value directly in the app, but rather fetching it from an api and setting it during runtime.
But the thing is even this solution won’t work because the value has to be set before building the app with eas right ?
by Dynamically setting it i meant not setting the value directly in the app, but rather fetching it from an api and setting it during runtime.
someone with an app could listen for network request and just take it from the request body or find url in a js bundle. It’s a bit more work, but not by a huge margin. The best you can do is to only serve that API key to authenticated users, but that wouldn’t help much.
But the thing is even this solution won’t work because the value has to be set before building the app with eas right ?
Yes I think so, but I’m not familiar with rect-native-maps to say that for sure. It’s possible that there are APIs in native code that would allow setting API key after app starts.
1 Like