Secret vars must be plain text for local dev environment. Isn't this a security issue?

The secret vars need to be somewhere (.env, app.config.js, etc) for availability in the local dev environment. This vars is plain text and is sent to the EAS server, isn’t that a security issue? I read the doc but it seems strange to me. Thanks!

can you elaborate on what you are using secrets for? i think you may be misunderstanding what secrets on eas build are for – you should not be using any secrets inside of your application code. secrets on eas build are intended for things like your sentry api key, which is used during the build process to upload your sourcemaps but not included in your application code. you may find this doc to be useful Security · React Native

Sorry for the delay…

If I have a value in eas.json but not in app.config.js, that value is not accessible when I run expo start --dev-client. eg without my Google API key in app.config.js, login/subscribe with Google doesn’t work when I run expo start --dev-client, it just works on a production/internal build.

Currently I use a .env file which is loaded in app.config.js and eas.json, when I send it to EAS my secrets can be seen as plan text in the Read app config step, this is my confusion point, is this behavior expected?

Those values can be accessed by anyone if they download apk or ipa from the store and unzip it. It is not expo/react-native issue, any secrets in client-side code can be accessed if someone is determined enough.

If you don’t want to keep those values in your repo you can keep using eas secrets for that, but this is not why this feature exists. The main use case for it is to pass secrets that are not part of the build, like brent mentioned above e.g. sentry keys, ssh keys, gitcrypt key , keys for private npm registries

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.