flutter_dotenv icon indicating copy to clipboard operation
flutter_dotenv copied to clipboard
verified publisher icon java-james

.env can be open by everyone

Open DonWasyl opened this issue 4 years ago • 2 comments

Hi I wanted to keep some API keys in .'env' files, but I noticed that I am able to open the app package via android file manager (Solid Explorer)... My question.. is was intended?

Screenshot_20210317-210811

DonWasyl avatar Mar 17 '21 20:03 DonWasyl

Any information that you want to keep private like passwords or API keys that are not meant to be shared should not be bundled within your apk since it can definitely be recovered, so I believe this is intended.

ngxingyu avatar Apr 04 '21 08:04 ngxingyu

Environment variables bundled in a front end framework/application should not contain overly sensitive information. Using .env and injecting at build time is one up on committing API keys for example to a git repository where they may be able to be spotted out and exploited by crawlers and prying eyes...however having any sensitive info in the front end often regardless of the framework will not be very secure as the info is visible in the browser/devtool/bundled-code etc.

A responsible use of .env in the front end would be things such as non vulnerable API keys, API base urls & ports which you can switch with different .envs at build time depending on the environment you want the build to be for. You should consider moving any venerable API keys etc to a secure backend

java-james avatar May 31 '21 11:05 java-james