Problem: expo OTA bundle contains plain secrets.
I have a question regarding "what is the right way to fix it".
We have a expo react-native app written in typescript.This app call an API endpoints, after initial auth and OAuth2 token retrival (not that important).
API auth requires username/password, those are stored as environmental variables e.g in .env file.Then secrets are used in code to build a request in the following way:
import { USER, PASSWORD, API_URL } from "@env";....private async _authenticate() { const body = `username=${USER}&password=${PASSWORD}`; const response = ......So far so good.
But since we like the idea of OTA and expo combination, we useexpo export --public-url $EXPO_UPDATE_URL.Bundle is generated and then placed on server.
But close inspection reveals that the bundle (publicly available for mobile app to download) contains raw,plain passwords.That seems like a massive security flaw.
Are we doing it "the wrong" way?How should we fix it to at least obfuscate expo bundle?
Thanks!