How to hide things (API keys, etc) from Chrome Remote Debugging in Ionic app?

Question

I have an Ionic app running on Android. I can connect with Chrome Remote Debugger and see API keys, etc. in my config files. Is there any way to hide these?

EDIT:

I'm looking at Firebase in particular as my app would communicate it directly. Any best practices for this scenario?

Answer 1

For Firebase access, it is meant to use the API keys on the client side. That is the way to enable clients to access the Firebase (not just database only).

Having said that 'Security' is still the question and to address that Firebase provides (here database access) - database rules.

Best practice is to secure the real-time database at Firebase using database rules and enable clients to use the API key.

• Firebase Database Security Rules
• Very interesting video about Firebase Security at Google I/O

Answer 2

I just found out that contents of index.html are not displayed by the debugger. Ionic recommends putting things there. But at the end of the day HNeiva is right, you shouldn't put anything sensitive there. Only turn to putting it into index.html as a last resort.

Answer 3

You can't. Although you might be able to sneak it into some weird logic, you still shouldn't. The safest option is for you to have those stored in your server, and pass the information you need(not the key) back to the web client.

TL;DR don't send keys to the front end, unless if you specifically need to give it to the user.