使用“--dart-define”go 定义的变量在哪里，我们可以对它们进行逆向工程吗？

Question

I am building a flluter application. I don't want to compromise my secret_key by putting it in the code, so I tried making a .env file and created an apk. Then I unzipped the apk and found my config file there. So now I am not doing that.

The next thing I tried is using --dart-define variable declarations to put my secret_key while building the app and I am accessing it using

const secret = String.fromEnvironment("secret_key");

Coming to the question, where do these variables go inside the dart code and is there a way to get them by reverse engineering. Basically is it safe to put my secret key this way?

Answer 1

From what I found, you can find the --dart-define variables in the binary file generated for each ABI, so yes , you can reverse-engineer it.

How to try:

1. Call the variable from your code with String.fromEnvironment("ANIMAL") .

2. Run flutter build apk --dart-define=ANIMAL=Dog to build for Android

3. Open the generated.APK file with a file archiver (7-Zip, for example) and navigate to /lib/(ABI)/

4. Open /lib/(ABI)/libapp.so file with a text editor or hex viewer and search for the value Dog and you will find it

Observations:

• If you don't use the variable in your code, it won't be added to the binary
• Using --obfuscate with flutter build won't help, because it doesn't obfuscate environment variables