TTC
Theo's Typesafe Cult4mo ago
Y7YA

React Native Security Question (.env)

Building an app using Expo + Supabase. During the set up I created some envs. Everything works, but what happens to the environment variables? Can an attacker access them from the mobile app? In web dev it's simple, secret variables stay on the server. I don't understand what mobile does to address this issue, to me it just looks like the .env is bundled in the app, and the app is on the user's device therefore susceptible to attack? Any help appreciated.
5 Replies
Neto
Neto4mo ago
on react native or any client side app, never use a critial secret on .env because they are added to the bundle
Y7YA
Y7YA4mo ago
how do I communicate with the database then? A standalone server?
Neto
Neto4mo ago
in a secure way, you should some services offer some kind of public key to be used in the client side without that many issues
Neto
Neto4mo ago
https://www.restack.io/docs/supabase-knowledge-supabase-url-anon-key-guide
Supabase URL and Anon Key Guide
Learn how to configure and use Supabase URL and Anon Key for secure database access.
Y7YA
Y7YA4mo ago
seems like RLS is the suggested security measure, guessing can't use an ORM with RLS
Want results from more Discord servers?
Add your server