React Native Security Question (.env)
Building an app using Expo + Supabase.
During the set up I created some envs.
Everything works, but what happens to the environment variables? Can an attacker access them from the mobile app?
In web dev it's simple, secret variables stay on the server. I don't understand what mobile does to address this issue, to me it just looks like the .env is bundled in the app, and the app is on the user's device therefore susceptible to attack?
Any help appreciated.
5 Replies
on react native or any client side app, never use a critial secret on .env
because they are added to the bundle
how do I communicate with the database then? A standalone server?
in a secure way, you should
some services offer some kind of public key to be used in the client side without that many issues
Supabase URL and Anon Key Guide
Learn how to configure and use Supabase URL and Anon Key for secure database access.
seems like RLS is the suggested security measure, guessing can't use an ORM with RLS