I would like to know what the full pros and cons are for storing my SENSITIVE API KEYS AT Firebase Remote Config.
I am aware of flutter secure storage which encrypts and decrypts sensitive data at Runtime, but most sources suggest it is always safer to store api keys on the server rather than on the client. What risks are involved if I store my API keys at FIREBASE REMOTE CONFIG and what do I stand to gain and lose.Thanks
The recommendation is not so much to just store the data on the server, but also to only ever use it on the server. Any time you use sensitive data inside your application, such as when you send it to the device through Remote Config, a malicious user may gain access to it.
The risk of leaking an API key depends on what that specific API key allows a malicious user to access. For example, if a user gains access to the so-called server key that is used by Firebase Cloud Messaging, they can use it to send messages to any of your users. But if they gain access to the administrative credentials of your Google Cloud project, they can do with that entire project whatever they want.
Note that Firebase's client-side configuration data is not a secret, as explained here: Is it safe to expose Firebase apiKey to the public?
Also see: