Want advice for security with Secrets in EAS environment variable

We can set secrets in environment variables via eas servers.

I consider setting decryption key there for encrypted API keys in source code.
The API keys can be used securely even when cracker try stealing them though they will be moved to Secret manager by GCP or AWS to keep the rotation soon.

With this way, even firebase api keys can be secured also!

Is it safe way?
Want your advice!

P.S.
The Secrets cannot be used for API keys like mapbox, firebase…??

EAS Secret is intended for values that are required during build, but are not part of the apk/ipa. If some key is inside apk/ipa there is nothing you can do to protect it, determined enough person will always be able to extract it from there.

The API keys can be used securely even when cracker try stealing them though they will be moved to Secret manager by GCP or AWS to keep the rotation soon.

I don’t know what you mean by that, if you rotate your keys then existing apps will stop working, and if you provide a way for apps to download those keys then the attacker can do the same.
You can use a similar approach with stuff where the consequences of leaking those credentials are minimal, if that happens you can just generate new keys, submit new version to the store, wait few weeks for people to switch to new version and revoke the old keys.

The only way to guarantee limited access to certain resources is to implement user authentication and control everything on your own backend service.

2 Likes

Thank you for the advice!
After I have considered a few days, I concluded just scope limitation for client is a lot effective for security even when API key is leaked.
Sensitive operation should be done on server side.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.