Your .env Secrets Are Publicly Available | Flutter & Dart

TL;DR: If you’re using flutter_dotenv or dotenv packages in your Flutter projects, be aware that your secrets are not secure. Upgrade to secure_dotenv to add a security layer to your sensitive data.

When handling sensitive data, such as API keys, database credentials, or other secrets, it’s crucial to prioritize security. Unfortunately, many Flutter developers have unknowingly used flawed dotenv packages, such as flutter_dotenv and dotenv, with significant security flaws. These packages fail to adequately protect secrets, leaving them vulnerable to leaks and breaches.

The Vulnerability in Existing dotenv Packages

The security flaw in most dotenv packages, such as flutter_dotenv and dotenv, lies in their failure to protect sensitive data adequately. These packages typically store secrets as plain text in the .env file and include this file as an asset to the Flutter application.

Well, how can users get access to these?

Anybody with an APK, IPA, AAB, or compressed-folder-based application bundle can extract its contents and access the flutter_assets folder, where the .env file lies.

Your APK file is easily downloadable if uploaded to the Google Play Store by simply going to APK Pure and searching for it.

Don’t believe me? Test it yourself and see that your secrets are NOT secure.

How to Secure Your Secrets with secure_dotenv

To start using secure_dotenv in your Flutter and Dart projects, follow these steps:

1. Remove the .env file from assets.
2. Rotate your secrets — make sure the old ones are not valid anymore.
3. Install the package: Add secure_dotenv as a dependency in your Dart project’s pubspec.yaml file. Don’t forget to include build_runner and secure_dotenv_generator as dev dependencies. Run dart pub get to fetch the packages.
4. Generate Dart classes: Create a Dart file in your project and import the necessary dependencies. Define the environment class and annotate it with @DotEnvGen. This annotation configures the behaviour of the code generation process, allowing you to specify parameters like the filename, encryption type, and field renaming behaviour.
5. Generate an encryption key: Here’s a guide from IBM. Make sure the key is a 128/192/256 bits long.
6. Run the code generation: Use the build_runner tool to generate the required Dart classes. You can specify your encryption_key like this:
   dart run build_runner build — define secure_dotenv_generator:secure_dotenv=ENCRYPTION_KEY=encryption_key
7. Update your code to pull your secrets securely. A guide on how to do this can be found here
8. Test your app to see if your secrets are still vulnerable.

Following these steps, you can seamlessly integrate secure_dotenv into your Flutter and Dart projects, therefore adding a security layer to your secrets and making it harder for any attackers to get ahold of them.

Conclusion: Prioritize Security with secure_dotenv

In Flutter development, security should be a top priority, especially when handling sensitive data. The security flaw in most dotenv packages, like flutter_dotenv and dotenv, puts your secrets at risk of exposure and compromise.

To protect your sensitive data more effectively, upgrading to secure_dotenv is crucial. With advanced encryption, robust key management, and secret runtime decryption, secure_dotenv sets a new standard in dotenv security for Flutter and Dart.

This issue has been mentioned before in this Medium blog and other people from the community.

Disclaimer: storing secrets in your client app is not recommended, since attackers could get ahold of them. Our package adds security layers to make it harder for them to do this, but it is still not impossible.