I'm getting ready to push my first Flutter app to the Play Store. I'm worried about people reverse-engineering the APK and stealing my Firebase keys or Google Maps API secrets. Besides code obfuscation, what are the standard industry practices to keep a Flutter app secure from bad actors?
3 answers
First, remember that anything on the client-side can eventually be compromised, so the best security is "restriction." For Google Maps or Firebase, go to their respective consoles and restrict the keys to your specific Android SHA-1 fingerprint and iOS bundle ID. This way, even if someone gets the key, they can't use it elsewhere. For local data, never use SharedPreferences for sensitive info; use the flutter_secure_storage package which uses Keychain on iOS and Keystore on Android. Also, always run flutter build apk --obfuscate --split-debug-info to make the Dart code unreadable.
Do you think using a middleware backend to proxy all third-party API requests is worth the extra latency for a small startup app?
I always recommend using SSL Pinning with the http_certificate_pinning package to prevent Man-in-the-Middle attacks on your API traffic.
Definitely! SSL pinning adds that extra layer of trust between your app and the server that obfuscation alone just can't provide.
Franklin, for a small app, it might be overkill. However, if your API costs are high or the data is extremely sensitive, having a backend "BFF" (Backend For Frontend) is the only way to truly keep your keys 100% hidden from the client.