How to securely store API keys in Flutter?

Question

I'm using the googleapi's Flutter package and to use the Google Drive API, I need to put in credentials. My question is, how can I securely store them in my app so when I publish my app, they can't be taken. I found a cool package, flutter_secure_storage but to use it, I need to put all of my values into the secure storage. So how can I do that? I was thinking of using something like this, but I'm not sure. It would be great if someone could put me in the right direction as to how to do this by the book so to speak.

To further explain, I don't want to have my sensitive information in a file such as main.dart as a variable to put into storage (if it isn't there already).

Answer 1

You can do this by using the flutter_dotenv package.
Create a .env file in the root of your project:

GOOGLE_API = API_KEY

Add the .env file to your assets bundle in pubspec.yaml

assets:
  - .env

Add the .env file as an entry in your .gitignore if it isn't already

.env*

Access variables from .env throughout the application

DotEnv().env['GOOGLE_API'];

Read more on how to install and use the package here: flutter_dotenv

Answer 2

I advise you to create a database to store your keys. You can set up a small backend connected to your base that you contact, So you can implement all the security you want. This is the safest way

Answer 3

It’s not possible to store secret credentials in the app. Think other way around and secure the API key with appropriate permissions from the google cloud platform.

Secure storage is intended for user content.