Secrets in metadata com.example.app.yaml file in the build process

KRTirtho · May 3, 2022, 5:50pm

My app (Flutter based) that I’m willing to publish in F-Droid uses secrets that are used at Runtime of the app

The secrets get generated at the build time (using secrets.json locally & environmental vars in Github Action) & used in runtime. So I need a way to pass these secrets as ENV variables or any other way at build time in F-Droid server

How do I pass these secrets at the build step?

APP Repo: GitHub - KRTirtho/spotube: 🎧 Open source Spotify client that doesn't require Premium nor uses Electron! Available for both desktop & mobile!
F-Droid Data: KR. Tirtho / Data · GitLab

linsui · May 4, 2022, 3:01am

You need to put them in the build metadata.

KRTirtho · May 4, 2022, 3:15am

I’m very new at both f-droid & gitlab. Can you provide me with an example, please?

linsui · May 4, 2022, 3:27am

Something like metadata/org.tasks.yml · master · F-Droid / Data · GitLab?

Licaon_Kter · May 4, 2022, 6:42am

What linsui meant actually: you can’t have secrets on F-Droid, everything needs to be in the open, in the source repo. Once there, they’re not secrets anymore… just “keys” or whatever you call them.

F-Droid does not sign up for any API keys. Even if provided by a third party, we include them in both, binary and sourcecode releases.

From Inclusion Policy | F-Droid - Free and Open Source Android App Repository

KRTirtho · May 5, 2022, 4:27am

ClientId or API Keys are fine to include as they’re intented to be seen by everyone. But my application also have to have ClientSecret too for its functionality & that is not something I can push to upstream. It can be a security risk for my users

Is there any way to store this kind of secret & pass it only in the build without letting know everyone?

Licaon_Kter · May 5, 2022, 5:39am

If it’s in Client where does it come from? Not from “the client”? It’s not “generated by the app after install”?

Link to the app source code so we know what is this about pls

KRTirtho · May 9, 2022, 9:32am

Sorry for the delay
Here’s the App Source Repo: GitHub - KRTirtho/spotube: 🎧 Open source Spotify client that doesn't require Premium nor uses Electron! Available for both desktop & mobile!

Licaon_Kter · May 9, 2022, 9:46am

An you need a secret thing for what exactly? Who needs that, you the dev or the user using it? Eg. Can the user ask from Spotify for such a secret and insert it in your app in Settings?

KRTirtho · May 9, 2022, 10:48am

Yeah my app has the ability to save user provided client id & secret but that’s only needed when the user is willing to login with his/her account
But by default my app would use some pre-generated client id & secret to provide an anonymous experience without needing an actual Spotify Account

Licaon_Kter · May 9, 2022, 10:50am

As with any secret in an APK they can be extracted later, so no reason to hide something anyway.

This means that we might need to disable such “anonymous” access feature, imho.

RichZ · May 9, 2022, 11:02am

Sounds similar to what Aurora OSS / AuroraStore · GitLab does, maybe you can find some inspiration there?

KRTirtho · May 12, 2022, 3:18am

@Licaon_Kter I know it can be done. But its difficult. Not everyone can do that. At least, it is better than keeping it completely open to everyone because now everyone can see it

SkewedZeppelin · May 12, 2022, 3:48am

@KRTirtho
unzip and strings are not very difficult.
Otherwise you can run enjarify and jad if necessary.

If your service crumbles because someone has an API key, something is fundamentally broken with your service.

If you need to share accounts across multiple users, then look at the cookiejar made by Yalp that is currently used by Aurora as already mentioned above.

system · July 11, 2022, 3:49am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.