In telegram

Glad you enjoy it!

gpt ah response

Yes, mostly; but it won't be as safe as keeping them server side. In order to bring them into the app so it can store it in the keychain the app has to make network calls, then you are dependent on the security of your networking layer. TLS pinning, etc. And if your app doesn't do TLS pinning, then observing network traffic is as simple as configuring a HTTP proxy on their device. Assuming the proxy is trusted by the device, they will be able to inspect all HTTPS traffic. So having an extra layer of encryption may provide a small measure of extra protection. The difficulty server side is to differentiate between authorized traffic vs unauthorized. If you use only the bundle identifier or client version string, it will be fairly easy for an attacker to just use your cloud endpoint to make their request. Still, you will have some amount of control over how many requests are allowed, etc. Remember as well that if your API keys are stored in the keychain, that doesn't really protect you from a hacker running your app on a jailbroken phone (or LiveContainer), or after extracting your IPA and repackaging it (Feather IPA, etc), they would be able to extract your API key from the client app's runtime. There is really no 100% foolproof way to store API keys in clients. If you can be invoiced by number of API calls, you will definitely want to keep the API key server side as much as possible.

The Angular env is a pure naming convention - it’s actually like any other TS file and bundle with your app. The name is confusing, it is not related to a .env file used in Server environments!

@@galaxies_dev That IS confusing! I assumed (was hoping) that some magic was happening in terms of security with Angular but it didn't seem like anything was happening. Other than the advice to add the .env files to gitignore.

@@galaxies_dev So angular env files are not secure to store API keys right? They can still find it?

Don't have them at all in any client side code :)

yeah, how?

Check out this way: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/

Haven't used them but I think they could work!

Yes, the .env file in a frontend project (web or React Native app) is not a safe place, only in a real backend environment.

I think I used a Github script a while ago, but here's a tutorial how you can add a simple automation to make it work: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/

@@galaxies_dev Cool, thanks mate!

It's good - but won't help for stuff like API keys as you would still have to add them to your codebase and write them to secure storage. More useful for stuff like auth tokens!

I haven't done that, but only revealing a URL shouldn't be a problem in general!

@@galaxies_dev What about secret keys and what are your thoughts about this react native keychain libraries available everywhere?

they have: Android Play Integrity API, its just that Expo and react native do not offer you an easy way to call Play Integrity API from your app. I'm researching this my self, and its not easy to find much information how to setup react native app with "Android Play Integrity API" which will help you protect your backend being abused by impostors pretending to be your app

Thanks!

😎