Skip to main content
Question

Potential risk of the .logIn method of the RC SDK for flutter

  • 31 August 2024
  • 1 reply
  • 12 views

The RC Flutter SDK offers the .logIn method, which allows the current user to log in using only the appUserID.


Since the appUserID is exposed on the client side, a malicious user could potentially obtain someone else's appUserID (e.g., through reverse engineering the app or intercepting network requests) and use it to impersonate that user. This could allow unauthorized access to premium content or features, etc..

Hey @dev_rhenium ,

 

The login() method is only a method in the SDK, so the user would need to have that app user ID somehow passed through your code in the SDK. You can also call configure with an identified app user ID if you would like to forego calling the login() method. More information on this can be found here: https://www.revenuecat.com/docs/customers/user-ids#provide-app-user-id-on-configuration


Reply