{"id":20109030,"url":"https://github.com/aliesmaeil/api-key-hiding-client","last_synced_at":"2026-01-04T16:57:37.817Z","repository":{"id":248672819,"uuid":"829386934","full_name":"AliEsmaeil/api-key-hiding-client","owner":"AliEsmaeil","description":"Demonstration of API key hiding locally in Mobile Applications.","archived":false,"fork":false,"pushed_at":"2024-07-21T13:14:18.000Z","size":14,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-27T22:28:53.892Z","etag":null,"topics":["api","apikey","apikeys","dart","encryption","security"],"latest_commit_sha":null,"homepage":"","language":"Dart","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AliEsmaeil.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-16T10:23:21.000Z","updated_at":"2024-09-02T20:02:03.000Z","dependencies_parsed_at":"2024-07-16T12:25:06.236Z","dependency_job_id":"f0141f17-b33d-4030-b65a-f5e7b12ef499","html_url":"https://github.com/AliEsmaeil/api-key-hiding-client","commit_stats":null,"previous_names":["aliesmaeil/api-key-hiding-client"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliEsmaeil%2Fapi-key-hiding-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliEsmaeil%2Fapi-key-hiding-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliEsmaeil%2Fapi-key-hiding-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliEsmaeil%2Fapi-key-hiding-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AliEsmaeil","download_url":"https://codeload.github.com/AliEsmaeil/api-key-hiding-client/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244999230,"owners_count":20544866,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","apikey","apikeys","dart","encryption","security"],"created_at":"2024-11-13T18:06:54.815Z","updated_at":"2026-01-04T16:57:37.788Z","avatar_url":"https://github.com/AliEsmaeil.png","language":"Dart","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n## API Key Hiding on Mobile Apps\n\nMany beginner programmers usually hardcode the `API key` in a file within the project file structure, This is dangerous and you shouldn't do this because this file can ultimately be decompiled, and its content can be viewed as plain text.\n\n**So, how to deal with that?**\n\nSome may think it's a good pratice to store that key in a `SaaS` pltform like `Firebase` or even store it in the server which called later to stream the data with after getting that key from, but how will the server identify your app.\n\ncalling a server with a **key** to get a **secured key**, what about the first key in that sentence?\n\nAfter these questions, you will reach to a *dead end* (chicke-and-egg problem)\n\n**Then what!**\n\nHere Environment extension comes, `.env` files are usually used to store sensitive data and enviroment variables belong to the application.\n\nSo, create `.env` file at the project level, directly next to `pubspec.yaml` file\nThis file should contain the sensitive data needs to be secured or even enviromental variables, `API Key` will be written or hardcoded in that file.\n\nThen, we need a Flutter package that can deal and operates with `.env` files and do (CRUD) operations like `envied`\n\nYou can see how this package is used in the config dart file, this file just reads apiKey value from the generated file(which will be generated through evied_generator and build_runner).\n\nAfter running:\n\n```\ndart run build_runner watch --delete-conflicting-outputs\n```\n\nThe *config.g.dart* file is generated which reads the `API Key` value from `.env` file and generates two related integer lists to decode that apiKey and passes it back to caller.\n\nAfter all, `.env` file hardcodes the `API Key`, while the generated file generates two integer lists in which from them it can rebuilds that APIKey.\n\nHere’s the million-dollar question: Which file can you use to regenerate that key?\n\n- `.env` file, key is stored as plain text\n- generated file `config.g.dart` you can use the equation of decryption and both lists to regenerate that key.\n\nSo, don't publish them publically in Version controll systems (VCS) **add both files in gitignore file**, but i didn't here, because it's just an example or a demo (it's not really an api key).\n\n\u003ewhile publishing that repo here, i have received an email from GitGuardian notifying me that *i have published a sensitive data (.env file)* thanks to them, So in real projects we don't.  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliesmaeil%2Fapi-key-hiding-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faliesmaeil%2Fapi-key-hiding-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliesmaeil%2Fapi-key-hiding-client/lists"}