firebasereact-nativeexpodev-to-production

Firebase and Expo. Deploy Expo App. Hiding Keys


I see this question has already been asked but not all that recently so I am bringing it up again.

How do you hide your firebaseConfig file, or any secret key, in an expo application? (For production, not dev).

As far as I can tell, there is no way to properly hide the firebase config file with API keys etc in a react-native expo app.

Being that I have already built my entire app around interacting with firestore, I am a bit perplexed as to how to proceed forward.

If I eject, is there a way to properly hide my API key in a non-expo react-native-app? Or will I still face the same problem? Everything is working smoothly and I would prefer not to eject.

I have some experience using node.js/express.js as a backend (only ever in a development setting). Should I build myself a server and then serve the config info from there?

If I want to deploy a 'demo' app, is there a way to hide the keys while still using expo?

Any insight into this would be so helpful.

As far as I am aware there is no 'dotenv' package compatible with expo.

Also I have zero experience in deploying mobile apps, and very little in deploying web apps. I have not yet had to deal with securing keys in deployment.

Any help would be so appreciated.


Solution

  • It's not possible to effectively hide your Firebase config information. The best you can do is make it more difficult for someone to find them. Since all the JavaScript code is running on a computer or device that you don't control, you can't ensure that any of it is hidden from view.

    In fact, you don't need to hide any of that. I suggest reading this: Is it safe to expose Firebase apiKey to the public?

    If you're using Realtime Database, Firestore, or Cloud Storage, you should be using security rules to protect data so that only authorized users can access it.