There are still tricks to it, you need more security like app integrity checker, etc.
And the rest is on the user to.keep his credentials secured.
I no even understand your argument again. Keeping sensitive secrets on the client is not safe no matter what you use even if na EAS secrets. Thats my argument. Whats yours?
if I understand the question, I can try.
What secret manager? Are we talking about any secret manager, like the one we have on our phones ? Or is it a kind of implementation ?
Bro.. I didn't argue about anything with you. I only said one doesn't necessarily need to decompile if a secret is retrieved from a service... I think you're trying to prove it's always necessary.
If it's like a secret manager like that of Google.
Gotcha. So we are on se page. Decompilation can be the last resort
so… how do you guys manage secret?
Source
one way is to pull from a server, but even at that, anyone who knows the endpoint can also pull it, what’s actually the best way?
the best way is to become a farmer...if you no create secret, then you no go manage
its your backend regardless, still note that your backend is prone to attacks
you wan dey whine Nigerian scammers
The decryption key is securely saved on your phone, and it all depends on the phone's security - android, iPhone or whatever. It's generated from your passcode or fingerprint.