How to secure app id & API Key & username/password... etc

Hellooo, i have two questions :

1- In flutter beta there is no “API Key” yet in realm package, can i use single username/password for multiple users ? (thousands users access my app through one and same username/password).

2-I am using “App Services” (realm) in my mobile app to connect to the mongodb, in order to connect to the “App Services” i need to type the “App ID” and “API Key” to access the “App Services”, is it secure to type both values inside my mobile app ?

Hi @abdelrahman_mokhtar,

There’s nothing preventing you to do that, and Device Sync will correctly work on each device separately: please note that, in perspective, it may not be a good idea, as you won’t be able to distinguish among clients and track their activity, should any of them need support.

In general, communication happens over HTTPS, so it’s as secure as it could be: that said, the two values still need to be inside your app, so a determined attacker can discover and access them, unless you add an additional level by encrypting the values, and decrypting just before use.

More in detail, App ID isn’t that valuable, unless you leave the app with glaring security holes like Anonymous Authentication or Developer Mode: you can’t do much with it alone. The API Key, however, is a different story: the two typical use cases are

  1. Server-to-server communication: the key never leaves the environments you’re controlling
  2. Read-only user, i.e. the API Key is meant for data that would be public and not modifiable

Leaving remote clients authenticated with API Key the privileges to modify anything in the backend is definitely a security problem.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.