How unsafe is to save your stripe secret key inside your app? Or return it via Firebase Remote Config? I know you can decompile and reverse the apk or get access to the RAM and get the key from there, but how hard is it? Is it worth doing stuff "In the easy way" at least for the beginning when your app isn't used that much?


Solution 1: Akif

You can save your keys inside your app. However, you have to consider obfuscating your app while building it.

Obfuscating your app

To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag. The --split-debug-info flag specifies the directory where Flutter can output debug files. This command generates a symbol map. The apk, appbundle, ios, and ios-framework targets are currently supported.

You can read more.


Solution 2: Exadra37

Mobile App Binary Static Analysis

How unsafe is to save your stripe secret key inside your app?

Extremely unsafe, because a lot of Open Source tools exists to help you achieve this task in minutes, like the MobSF - Mobile Security Framework

Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.

You can see how I have used MobSF tool to do it in my article How to Extract an API key from a Mobile App with Static Binary Analysis:

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead, we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open-source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

The article even shows you how you can use the strings command in Linux to find possible candidates for secrets in your mobile app binary.

How hard can it be?

I know you can decompile and reverse the APK or get access to the RAM and get the key from there, but how hard is it?

If you read the above linked article you already know by now how easy is to extract a secret from a mobile app binary.

From RAM is not so easy, but is also not too much harder, because once more a lot of open source tools exists to help you with this task, and the most popular one seems to be Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

Firebase

Or return it via Firebase Remote Config?

Well, this one is also not too much hard to overcome, because the attacker just needs to use Frida to hook at runtime to the function that returns or uses the secret and then extracts it.

Security is not an option

Is it worth doing stuff "In the easy way" at least for the beginning when your app isn't used that much?

No, it isn't, absolutely not. In this case, your secret represents money, it's a secret to access a payment gateway. Can you imagine the financial impact of an attacker using your Stripe account in your behalf?

But even in other scenarios, a secret stored in the mobile app can have a huge impact in financial losses for your business because normally they are used to access the third party paid services, thus if an attackers get its hands on it then he can use the service while you pay the bill, and normally you will only discover it when you provider sends you the bill or a high usage alert.

So do you really want to take the risk?

Third-Party APIs access

How unsafe is to save your stripe secret key inside your app? Or return it via Firebase Remote Config?

Never access third party APIs from within your mobile app, unless it's technically impossible to do it from your own backend or a Reverse proxy you have total control of.

You can learn more on my article Using a Reverse Proxy to Protect Third-Party APIs

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

Do You Want To Go The Extra Mile?

In any response to a security question, I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.