Proper handling of sensitive data has been always been an area of development I haven’t been able to get straight since I started developing. But I think if somebody could explain what i am not getting about the following two statements, it would clarify the matter for me, and probably a few others…
On one hand, the Bitrise documentation on secrets states:
Secrets are a specific type of Environment Variable: they hide their information in an encrypted format and their value is not exposed in the build logs. They aren’t shown in the
bitrise.ymlconfiguration either. You can store confidential information, such as passwords or API keys as Secrets.
On the other hand, the official React Native documentation section on Storing Sensitive Info states:
Never store sensitive API keys in your app code. Anything included in your code could be accessed in plain text by anyone inspecting the app bundle. Tools like react-native-dotenv and react-native-config are great for adding environment-specific variables like API endpoints, but they should not be confused with server-side environment variables, which can often contain secrets and API keys.
If you must have an API key or a secret to access some resource from your app, the most secure way to handle this would be to build an orchestration layer between your app and the resource. This could be a serverless function (e.g. using AWS Lambda or Google Cloud Functions) which can forward the request with the required API key or secret. Secrets in server side code cannot be accessed by the API consumers the same way secrets in your app code can.
It seems like Bitrise docs say one thing, and RN says another. I would love not to have to build a backend architecture for my mostly frontend side projects, but I think probably I am misunderstanding something.