Build-time dart-define values are not secure for encryption keys - just concern

[SalihCanBinboga]

I've identified a significant security concern with the recommended approach for providing encryption keys in the package documentation.

Current Implementation:
The example suggests using --dart-define for providing encryption keys:

static Env create() {
  String encryptionKey = const String.fromEnvironment("APP_ENCRYPTION_KEY");
  String iv = const String.fromEnvironment("APP_IV_KEY");
  return Env(encryptionKey, iv);
}

Security Issues:

1. Build-time Storage:

   • --dart-define values are stored in the compiled libapp.so file
   • These values are base64 encoded but easily retrievable
   • APK/IPA can be decompiled to access these values

2. Runtime Memory:

   • String.fromEnvironment() values are stored in plain text in memory
   • Memory dumps can reveal these values
   • Rooted/jailbroken devices can easily access these values

3. Security Paradox:

   • The package aims to secure environment variables
   • But the encryption keys themselves are stored insecurely
   • This creates a false sense of security

Impact:

• Anyone with access to the APK/IPA can extract the encryption keys
• The encryption becomes meaningless as the keys are easily accessible
• The security layer provided by the package is effectively bypassed

Recommendation:
The documentation should be updated to:

1. Warn about the security implications of using --dart-define
2. Provide alternative secure approaches for key management
3. Consider implementing a more secure key provisioning mechanism

[mfazrinizar]

This has been addressed in the latest version. That said, I’m always open to suggestions or PRs if there's a more secure approach. Thanks