Keeping Secret Keys Out of Version Control in Flutter
I find fun in teaching and showing people what I learnt through writing :). This article was motivated by feedback I got from one of my previous articles -Integrating Mpesa Api with a Flutter App concerning storing secret keys. Below is a snap of the comment:
There are many ways you can use to store your API keys and secrets for instance:
- Using Flutter libraries to securely store them,
- Storing your API key in Firebase Firestore and
- Using API keys in Cloud Functions among many other ways.
However, in this article, am going to show you a simple way of keeping your secret keys out of version control by not pushing them to a git repository in a Flutter App.
What are Secret API Keys?
These are what uniquely identifies a user, a developer or a project or calling program to an API(Application Programming Interface). They are mostly used to authenticate a project with the API to authorize various actions and may be implemented in different ways for instance to authorize a login, a initiate a payment among other many other ways depending on the platform.
It’s therefore not safe to push your secret keys to a version control like Github, Gitlab or even BitBucket since authorization and access to your application might be infringed.
Let’s Get Started
This article assumes you have a basic knowledge of Flutter. If you are new to Flutter, please check the Official Flutter Documentation. Also check my article on Getting Started With Flutter.
Now that you already know what a secret key is, next, you’ll be learning how to secure your secret keys step by step.
Step 1 — Create the Secrets file
In a Flutter application where you have some API keys,that you wouldn’t like to expose by pushing to a git repository, follow these steps to keep the API keys and secrets out of version control.
First and foremost, in the root of your project folder, within the lib directory, create a folder named auth(You can name it in your preferred way). Then within the auth folder, create your secrets file, I named this secrets.dart file.
Here is the Folder structure:
-lib
-auth
-secrets.dartStep 2 — Add the Secret Keys.
Inside your secrets.dart file, add your API Key variable as follows:
I have named my variable as mySecretKey (You can name yours in your own preferred way). This variable mySecretKey, holds the value of the API key. Your API Key’s value will be different as API keys can never be the same.
You’ve created a secrets.dart file and added your API Key variable. In the next step, you’ll be adding this file to .gitignore so that it will not be pushed to git.
Step 3 — Add the Secrets.dart file to .gitignore
Next, add the path to your secrets.dart file to .gitignore file so that when you will be pushing your code to version control, the changes won’t be checked to the git repository.
Step 4 — Use the Secret Keys within your App.
Finally, now import the secrets.dart file to the part of file of code where you would like to use it.
Import the secrets.dart file
Interpolate your secrets key variable name
Then, within the same file(for instance main.dart), that you had imported the secrets.dart file, interpolate the variable name you used to refer to your API Key in the secrets.dart file (For my case, I used mySecretKey as the variable name). This will reference the value of your API key.
Therefore, every time you will be pushing your code to GitHub, these changes won’t be checked to a git repository. This is a simple hack of storing your secret API Keys and not pushing them to a git version control.
Also checkout these discussions on Stackoverflow on storing secret keys and how to protect a Flutter app from reverse Engineering and Best Practices for securely storing API Keys to get more insights on the same.
Feel free to also add more insights on how to securely store API keys on the comment section below as this topic always have varied opinion.
Should you have any questions , feel free to ping me on Twitter or on the comment section as well🙂
Thank you 😍
Happy Flutering 🙌.
