Security concerns

[sergembamba]

@java-james The issue(#73) has been marked as closed, but the proposed resolution may not be entirely sufficient. Even if the .env file is generated from managed secrets in CI, those values remain accessible once the APK is downloaded.

Should we consider implementing a local symmetric encryption mechanism before packaging these assets into the APK to better protect the secret variables?

[java-james]

Thanks for starting the discussion, @sergembamba

First, I'll let you know my main concern with local encryption and then I'm keen to hear your thoughts:

By performing local encryption of the values, I think we give a false sense of security that these values are secure.
With every man and his dog equip with Claude Code or equivalent, it wouldn't take long for an individual to tear apart a bundle to uncover these values. If we had given this false sense of security, these values could truely be sensitive.