I read on react native docs that .env are not secure, they are being stored unencrypted in memory so they can be easily read with debuggers. My 3 favorite setups are: 1) Store in the code with API encrypted and use backend for decrypt with for example AWS KMS. 2) Use secret manager behind a proxy like an AWS http gateway to get the API and implement functions in the front end. Or 3) Use proxy like an http gateway with user authorization that will trigger functions in the backend like AWS Lambda or Firebase functions, so if you see the code you will just see a fetch to an URL you can't access.
Hello simon , Hope you are well . I want to know that , Can i create the Uploading progessbar (which one give me the uploading progress % )by using this plugin ? Capacitor local notification.
Frida is a tool used in mobile app security testing. It allows developers and security researchers to inject their own scripts into running apps on a phone. This helps them understand how the app works internally, find vulnerabilities, and test security measures. For example, Frida can be used to see how an app processes data, modify the app's behavior, or bypass security features like root detection. Blocking Frida can make it harder for attackers to analyze or modify your app, but it isn't foolproof. Experienced attackers can often find ways to bypass these blocks. They might: 1. Use modified versions of Frida that are harder to detect. 2. Employ other tools or techniques to achieve similar goals. 3. Obfuscate their use of Frida to avoid detection. While blocking Frida can improve your app's security, it's important to use it alongside other security measures, such as code obfuscation, encryption, and regular security testing, to provide more comprehensive protection. It’s futile no matter what. Even if you implement Frida or root detection on your app (it is possible to bypass). It’s attackable for those who are experienced attackers.
Pretty awesome and informative. I have learned about secret managers, didn't implement any yet. but I think they will be kind of replacement for .env file. What do you think?
Excellent reminder to be aware! Question - how does the environment files (like in Angular) protect the API keys? I assume a hacker can still get the API key by monitoring the network HTTP call to the API (like you can do in Chrome). Is the env file only used to prevent committing the API keys to github? Thanks!
The Angular env is a pure naming convention - it’s actually like any other TS file and bundle with your app. The name is confusing, it is not related to a .env file used in Server environments!
@@galaxies_dev That IS confusing! I assumed (was hoping) that some magic was happening in terms of security with Angular but it didn't seem like anything was happening. Other than the advice to add the .env files to gitignore.
It's good - but won't help for stuff like API keys as you would still have to add them to your codebase and write them to secure storage. More useful for stuff like auth tokens!
I think I used a Github script a while ago, but here's a tutorial how you can add a simple automation to make it work: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/
Soo is .env safe? like if i build app with .env it will obv still have to take those secret keys and inject them into the bundle which by what you are saying they are "easily" accesable still by just unpacking? :D
Thank you for the good video. Currently, I only use the server API address(domain).The .env file is in use. Thinking of using the server profile (dev or prod) getting the API address from the mysql and dynamically assigning it to react-native-config. What do you think?
they have: Android Play Integrity API, its just that Expo and react native do not offer you an easy way to call Play Integrity API from your app. I'm researching this my self, and its not easy to find much information how to setup react native app with "Android Play Integrity API" which will help you protect your backend being abused by impostors pretending to be your app
Learn React Native FAST by becoming a member of Galaxies.dev today [FREE] galaxies.dev/reactnative
I read on react native docs that .env are not secure, they are being stored unencrypted in memory so they can be easily read with debuggers.
My 3 favorite setups are: 1) Store in the code with API encrypted and use backend for decrypt with for example AWS KMS. 2) Use secret manager behind a proxy like an AWS http gateway to get the API and implement functions in the front end. Or 3) Use proxy like an http gateway with user authorization that will trigger functions in the backend like AWS Lambda or Firebase functions, so if you see the code you will just see a fetch to an URL you can't access.
In telegram
This can have an awesome follow up video about implementing that proxy in nodejs with a ionic project! Please do that!!
Great vid, man, thx so much for the content
Glad you enjoy it!
Hello simon , Hope you are well . I want to know that , Can i create the Uploading progessbar (which one give me the uploading progress % )by using this plugin ? Capacitor local notification.
Frida is a tool used in mobile app security testing. It allows developers and security researchers to inject their own scripts into running apps on a phone. This helps them understand how the app works internally, find vulnerabilities, and test security measures. For example, Frida can be used to see how an app processes data, modify the app's behavior, or bypass security features like root detection.
Blocking Frida can make it harder for attackers to analyze or modify your app, but it isn't foolproof. Experienced attackers can often find ways to bypass these blocks. They might:
1. Use modified versions of Frida that are harder to detect.
2. Employ other tools or techniques to achieve similar goals.
3. Obfuscate their use of Frida to avoid detection.
While blocking Frida can improve your app's security, it's important to use it alongside other security measures, such as code obfuscation, encryption, and regular security testing, to provide more comprehensive protection.
It’s futile no matter what. Even if you implement Frida or root detection on your app (it is possible to bypass). It’s attackable for those who are experienced attackers.
gpt ah response
Could you do a video for point 1-4 very interesting
Couldn't you store the api key or any encryption keys the app might be issued in Keychain?
Pretty awesome and informative. I have learned about secret managers, didn't implement any yet. but I think they will be kind of replacement for .env file. What do you think?
Haven't used them but I think they could work!
Pretty interesting... What would be the best way to store api keys and be hidden in the bundle?
Don't have them at all in any client side code :)
goated vid wallahi
Excellent reminder to be aware! Question - how does the environment files (like in Angular) protect the API keys? I assume a hacker can still get the API key by monitoring the network HTTP call to the API (like you can do in Chrome). Is the env file only used to prevent committing the API keys to github? Thanks!
The Angular env is a pure naming convention - it’s actually like any other TS file and bundle with your app. The name is confusing, it is not related to a .env file used in Server environments!
@@galaxies_dev That IS confusing! I assumed (was hoping) that some magic was happening in terms of security with Angular but it didn't seem like anything was happening. Other than the advice to add the .env files to gitignore.
@@galaxies_dev So angular env files are not secure to store API keys right? They can still find it?
Was this not the same reason flash & AIR was crucified?
I think my default AWS amplify is secure in this way
What you think of expo secure store for RN app?
It's good - but won't help for stuff like API keys as you would still have to add them to your codebase and write them to secure storage. More useful for stuff like auth tokens!
That Visual Studio code icon tho! How?
I think I used a Github script a while ago, but here's a tutorial how you can add a simple automation to make it work: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/
@@galaxies_dev Cool, thanks mate!
How did you get vscode button in Finder?
yeah, how?
Check out this way: flaviocopes.com/how-to-add-an-open-in-vs-code-icon-in-macos-finder/
Soo is .env safe? like if i build app with .env it will obv still have to take those secret keys and inject them into the bundle which by what you are saying they are "easily" accesable still by just unpacking? :D
Yes, the .env file in a frontend project (web or React Native app) is not a safe place, only in a real backend environment.
Thank you for the good video.
Currently, I only use the server API address(domain).The .env file is in use.
Thinking of using the server profile (dev or prod)
getting the API address from the mysql and dynamically assigning it to react-native-config.
What do you think?
I haven't done that, but only revealing a URL shouldn't be a problem in general!
@@galaxies_dev What about secret keys and what are your thoughts about this react native keychain libraries available everywhere?
This is what imposter syndrome i have thanks react native is making me happy and sad at same time
[nervous laugh] ha..ha...ha.... of course it is....
😎
Progurd left the chat
Like, can't google fix this mess themself?
they have: Android Play Integrity API, its just that Expo and react native do not offer you an easy way to call Play Integrity API from your app. I'm researching this my self, and its not easy to find much information how to setup react native app with "Android Play Integrity API" which will help you protect your backend being abused by impostors pretending to be your app
Hi Simon, is there an email I contact you at