I've been using flutterflow for a short time and I have a big question. I am a web programmer and learning Flutterflow has been relatively easy for me.
The problem is that I realize that flutterflow only serves as a "Front-end", not a "Back-end". I am currently creating a fairly complex app, where I must manage different APIs, user levels, paywalls, etc.
The problem is that all these paywalls and conditions for allowing API calls to users are made via the "Actions" of Flutterflow itself.
This is an example:
This conditional looks to see if the user logged into Firebase has the hasReview boolean set to true or false. If true, show a snack bar. On the other hand, if it is false, it makes a call to an API call.
My first question is: Since all this logic is hosted in the "Front-end" it would be possible for a hacker to reverse engineer and crack the code so that this conditional is always false and be able to access the "False" branch when given wins it? (For me this is very important since I am using many conditionals depending on the state of the user or state of different entries in the database. Even adding variables to the database that could be easily modified if so)
Another question I have is the API calls that are saved and made in FlutterFlow itself. In the headers of these, we put our API keys. Are these accessible from the "Front-end", and again, accessible by reverse engineering the app?
I am using Revenue Cat as a "membership" system for the app, and also using the conditionals that flutterflow offers but again, if these conditionals are front-end they are reversible and can directly bypass or "crack" the memberships to access the content private.
Unfortunately, I think that all my previous questions are going to be a yes and that they can be "cracked" since the functions are not hosted in any backend. Now, I'm thinking about moving all these functions that are more "delicate" to Firebase's cloud functions and using them as a back-end. The problem is that these functions are also hosted on the front-end? Because of the ability we have to write them in flutterflow? Or is it just a tool to be able to manage them more easily for users?
I have also seen that there is "App check", but from what I see, it only works for Firebase? So that non-logged users cannot perform the "Create", "Update", etc. actions that flutterflow offers us. So flutterflow only gives us the possibility of protecting ourselves with the calls we make to the database with "App check"? Again, this is of absolutely no use, because if we use the data that is returned to us, even if it is reliable, it can later be modified in other conditionals or simply avoid those conditionals.
I like flutterflow, but I think it doesn't do a good job in this regard. Especially for paywalls and conditionals depending on the state of the users with firebase variables. They make it easy for us to put conditionals and make a 100% app but which is actually very easily crackable. If one day one of your applications becomes extremely popular and all the conditions and limitations are hosted on the front-end they will be easily violated, I repeat, especially if you use revenue cat or similar.
Sincerely to the flutterflow team: If you want to be the undisputed "Boss" of non-code web apps and phone apps, integrating a back-end into our apps and being able to bring all that sensitive content to that back-end would make you top 1 undoubtedly. And I also think you should warn users that all (or almost all) of the code is front-end and therefore easily evaded by hackers.
I await your responses, I'm sorry for having written so much. I have added the questions in a list 1, 2, 3, 4... to make it easier to answer. Thank you so much.