Reputation: 185
How to store AES Private key in flutter project?
I do not want show any person who open AESEncryption class. Where do i store this key in project especially android platform.
class AESEncryption {
static final _key = Key.fromUtf8('My private key');
static final _iv = IV.fromLength(16);
static String getEncryptedMessage(String plainText) {
final encrypter = Encrypter(AES(_key));
final encrypted = encrypter.encrypt(plainText, iv: _iv);
return encrypted.base64;
}
static String getDecryptedMessage(String cipherText) {
final encrypter = Encrypter(AES(_key));
final decrypted = encrypter.decrypt(Encrypted.from64(cipherText), iv: _iv);
return decrypted;
}
}
Upvotes: 3
Views: 1409
Answers (2)
Reputation: 216
As .env files are stored in plain-text (not just environment variables in memory), they are at risk of being read by unauthorized users with no audit trail in terms of access and changes made.
From the author of flutter_dotenv 5.0.2,James Collins,
I would recommend against putting very sensitive data into your .env file for both mobile and web platforms. For any frontend frameworks, including flutter. This isn't unique to web or flutter web specifically. When used in mobile, the .env can still be viewed in the bundle. This is true in flutter, react, react-native etc.
Even if you replace the env variables ahead of time into the code and obfuscate your code those variables are still retrievable via file / bundle inspection. It's just a certain degree of more effort.
.env should be used to host non sensitive data for the front end of your application. Included but not limited to the API endpoints for an environment, build specific policies, feature flags for builds, 3rd party endpoints the app may use, timeout durations, refresh durations.. Non sensitive things that create a variation of your application for different environments.
Operations that involve truly sensitive keys should be proxied through an API call to a service that can securely host and use these values.
So... what you are doing here is extremely unsafe.
Upvotes: 2
Reputation: 872
There are many things you could do here but what I've done - which is lightweight and works quite well - is create an env.dart file where I put various environment variables I want to keep private. I then have env.dart at the base level of my project and add an entry for it to .gitignore (or the equivalent if you're not using git). So in then in the file that defines AESEncryption I'd import the env file like below:
/// env.dart
final aes_private_key = 'My private key';
/// Other file containing the AESEncryption class
import 'env.dart' as env;
class AESEncryption {
static final _key = Key.fromUtf8(env.aes_private_key);
static final _iv = IV.fromLength(16);
...
}
Upvotes: 4
Related Questions
- AES/GCM encryption in Flutter (Dart)
- How to store API keys in Flutter
- AES Encryption - Decryption in Dart - Flutter
- Encrypted in Java and Decrypting in dart flutter
- Encryption in Java and Decryption in Flutter (AES-256)
- What is the best way to store api keys on flutter?
- AES Encryption in dart 2
- AES Encryption in flutter
- Storing user data securely in Flutter and Dart
- How to securely store API keys in Flutter?