I'm building a Native app with React Native. I was once a web programmer and it's my first time using React Native and making native app especially which is going to be actual product and serve for normal users. During my struggle, I've encountered some issue that I, as a former web programmer, can't find a way out.
In my app, I call some APIs that any other app would/could be using, like Google Maps via react-native-maps library. My API keys are saved at files that are used when actually build the app, info.plist and AppDelegate.m ( building iOS app first by now ). I've thought that would be safe enough. But I recently find out it might not.
After reading some articles about getting rid of secret informations from native apps, I've tried hard to find a way out. Thought about using .env, getting api keys from backend server, etc. couldn't use .env, and can't find a way to call API, sending API keys ( not containing them as a build meta data ).
So here's my question. How can I keep my secrets safe for react native app?
I guess it depends on what kind of secret and API we are talking about.
With Google Maps is it possible to restrict usage to specific apps or domains which makes it safe to bundle the key in the app, read more here: https://developers.google.com/maps/api-key-best-practices#application_restriction
In situations where the app itself does not need the make the request itself, an alternative would be to let the server make the request and forward the result to the app.
In other situations where nothing from above works, you could send the secret from your server to an authorized user. Be aware that the user could then read the key but at least you don't need to bundle the key into the apps which also makes it possible replace the key if needed.
Related
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 1 year ago.
So I watched this video Youtube Tutorial
In this video, it is recommended NOT to include API keys in xcode plist files. So Firebase generates a plist file for us to include in our projects and in that plist file is the API key. Is there a way to do this without using the plist file so that it is more secure?
Your app's public API keys are not (and should not be regarded as) secret(s) as they are needed in order for your app to identify itself to the Firebase backend.
Even if you were to store them elsewhere, they could be extracted by other means by a malicious actor.
Because the API key is the same for every single instance of the app, it would only take one bad actor to discover and disclose it.
Firebase themselves likely have intelligent abuse detection so you should not need to worry too much about DoS attacks or any other possible attack that involves your API key.
However, some "abuses" of your app simply aren't possible to prevent if you have a public-facing app anyway.
It depends on what your app does and what you would consider to be "abusive" behaviour.
Trying to obfuscate your API keys will only create more friction for you as a developer and will not win you much in terms of security.
You should focus security efforts on other parts of your app.
Important: I'm talking about public API keys, not private keys such as Firebase service credentials.
These really are private and you shouldn't ever include them in your app (only store them on your server).
My GoogleService-Info.plist file for iOS was stolen, is it possible to disable access to my Firebase Firestore to all current iOS devices, and reset this file ?
I tried to delete my iOS app in Firebase, but I can still make request from my iPhone...
And I need to disable access only for iOS devices not Android.
As Doug Stevenson pointed out the contents of the GoogleService-Info.plist are public and accessible to every iOS user of your application. Therefore it is inaccurate to say they could be stolen as they're already publicly available.
As explained in the Firebase documentation the file fields contain identifiers used by your application and Firebase servers to route the requests being made to Firestore, Real Time Database and the rest of products the app might be using. Reading the documentation or the post shared by Doug you would see the information exposed is not a security threat.
Moreover, I would like to point out that everybody could try to access your Firestore collections and try to add/drop data. This is indeed expected as Firestore is publicly accessible by mobile and web clients. However, this doesn't mean Firestore is exposed to users to do whatever they please, instead, the actual access is totally under your control by the means of security rules, which enforce what actions a given user could do. In that sense, the developers who left will only have the access level that your security rules grant them, which shouldn't be a threat when having good rules in place.
Lastly, you may revoke the credentials completely removing the application. I'd say it's not a great idea as you would cause a service disruption to app users. Also, this won't improve security or diminish risks.
You can remove the app directly from the Firebase console
Before proceeding make sure to check and understand the consequences.
Click on Settings > General;
Scroll down to Your Apps;
Identify the app and click on Remove this app.
I'm currently developing on brackets for programming and Xcode for project management. My application runs but the notification for an invalid maps key comes up on launch. I have included my js API key for the application in my index.html file, and I checked the credentials to see if it was enabled and it is. I don't know if I also need the iOS one, and if I do I don't know where to put it for the application. Any help would be greatly appreciated, thanks. I am already 100% sure that the html is correctly written and that the API key is in the correct place.
If it's a hybrid mobile app, Google suggests using file:// referrers.
file:// referers need a special representation to be added to the key restriction. The file:// part should be replaced with __file_url__ before being
added to the key restriction. For example, file:///path/to/ should
be formatted as __file_url__//path/to/*.
For Apache Cordova on iOS I suggest:
iOS 9 and earlier - file: ///www/default
iOS 9.3 - file: ///var/containers
Note that there is a small risk involved in authorizing URLs under the "file" protocol. If anyone knew your API key, they could potentially use it from their application provided they used the same path. For this reason Google recommends that you regularly check your usage, to make sure it matches your expectations.
Hope this helps!
I've been searching for a way that if there's any way that an app can push / pull a message to / from another app, assuming that both apps have been installed. I have a feeling that probably that it is not possible, but would like to confirm with SO.
Basically, I'm going to develop two apps, app1 and app2. Let's assume that a user always downloads both of the apps (or, I've found previous discussions over SO that it is possible for an app to figure out if another target app is installed assume it makes Uri registration.) App1 would generate some information and have to pass to app2. One way to do it is that I can have an external server as a relay, and both apps can talk over network. However, is it possible to pass information locally from an app to another app, just like Service in Android? It would be appreciated if you can give me a keyword or a link. I read it further. Thank you.
Your solution is the App Groups Entitlement.
For files see: https://developer.apple.com/documentation/foundation/filemanager/1412643-containerurl
For NSUserDefaults see: https://developer.apple.com/documentation/foundation/userdefaults#1664611
Objective: i want to fetch my custom parameter(referrer) from iTunes link upon installation of my application in device.
iTunes links look somethings like this:
https://itunes.apple.com/in/app/complete-gym-guide-lite/id550449574?mt=8
If i append my parameter say(&referrer=xyz)at the end and i open this url in ios safari browser then it will prompt to download the application.
Confusion: will app store send my parameter(referrer) to my application on launch so that i can fetch it in my application and use it.
In case of Android play store link look like this: http://play.google.com/store/apps/details?id=&referrer=guid%3D%guid%
As you can see referrer parameter at the end of url. Once app is installed in device then play store will send this parameter to app using INSTALL_REFERRER broadcast receiver. We can use this parameter.
What i tried OR Other people doing for conversion tracking: Other people are simply sending static data to their server at the first time opening of app and maintain a flag in NSDefault to make sure that app does not send same data again. I can also do the same as well as alternate ways suggested in below links but i want to do something with custom parameter.
I have already seen below links:
iOS - track which ad campaigns my installs are coming from
Tracking iOS installs from multiple marketing sources
Please help me out.
As #Aditya said, for now, Apple is not sending any referrer (or params) from iTunes to installation.
The only way you have it's to use a third party sdk to get your installations.
I have been working on a own sdk to get this but the way to get any info it's really hard and not really confident to use it. So endly we used some third party which are using many techniques to getting this (as fingerprint data, App2App methods, etc...)
I have tested appsflyer sdk and facebook sdk, they work as expected, use this or any else you prefer.
Hope this helps