API keys & safety

Questions about Thunkable
1

Hi there,

I just wanted to highlight that if any way possible, I’d appreciate if you could enhance the safety measures of Thunkable apps in the future. As you know people can reverse engineer apps, which creates a challenge for keeping, for example, API keys you have in the app secure. Moreover, the communication from the app doesn’t seem be really encrypted, which leads to the same thing. I know it’s a constant battle between developers & hackers, but the way I see it now, is that I really can’t use many API keys, particularly, as the risk of them leaking seems too big, and this again, naturally limits the potential uses of the apps greatly. Also, maybe you’d want to have a bigger disclaimer of this risk for the Thunkable developers.

So, I just wanted to highlight the urgency of the matter and I’d also be happy to hear what others & dev team thinks of this what I have now brought up. Anyway, I still love Thunkable, it’s just not perfect, as nothing is. :slight_smile:

Best, Heikki

2

Owing to the fact that reverse engineering of APK files is easy, this comment is not specific to Thunkable.

Should you be concerned about security then supply the API key in the app but keep the authentication process (username/password or other means) outside of the app. This way the decompiling process will result in partial data only which would not jeopardize your data source.

Happy Thunking :grin: