Im new to Flutter and iOS, and Im currently building a Flutter IOS with Firebase Cloud Messaging integrated into the application. I have a GoogleService-Info.plist for two flavors (UAT and Production) in my Xcode Runner project. However, during a recent penetration testing, one of the findings is the penetration tester could see the API Key in the GoogleService-Info.plist from built the IPA file. Is there any way I can hide the GoogleService-Info.plist so no one can see the GoogleService-Info.plist contents after I built the IPA file? Attached is screenshot of the file structure of the Xcode runner:
-
Store the configuration values in secure storage: You can store API keys or Firebase configuration values securely on a remote server or in a secure vault. Fetch the configuration at runtime when the app launches. Use Flutter’s secure storage or iOS Keychain to store values temporarily after fetching them.Jabeed Ahmed– Jabeed Ahmed2025年01月21日 07:31:58 +00:00Commented Jan 21, 2025 at 7:31
1 Answer 1
Typically there is no way to do it
But I think Google still uses this approach because actually, this file doesn't need to be secured, see the image attached below
So if someone can get it, no security leak -> no need to worry about this file
More details https://firebase.google.com/docs/projects/api-keys
If you would like to have more secure on firebase data access, refer to https://firebase.google.com/docs/projects/api-keys#apply-restrictions
1 Comment
Explore related questions
See similar questions with these tags.