Protect your secrets

Keep your secret env vars secret for all eternity and your files belonging to certain apps protected against downloading.

Keep your secret env vars secret for all eternity and your files belonging to certain apps protected against downloading.

From now on the secret environment variables belonging to your apps are not displayed as default, only the list of them and the keys (their names), until you set it to be otherwise. We've also added a new feature to your apps' Secrets and Code Signing tabs: a toggle called 'protected'. With this, you can make your secrets unexposable and your code signing certificates undownloadable.

You should use this feature for secrets that you want to keep secret. 😎  This can be a password that you don't want other team members to see, even if they have access to the Secrets tab. Or the CTO can set an API-key and lock it so that the developers won't be able to see it or edit it, but the build still can use it.

Secrets tab

You can add new secrets to your app under the Secrets tab. Once you save them and refresh the page, stars will appear instead of the values. (Until now, the values were always printed here.) The values will only be sent to front-end when you click the eye, if you set it protected, it'll only get sent to the build machine.

Secret keys (and their values) cannot be changed only deleted.

We've added a crossed eye icon, which will expose the secret and show the value.

Another new feature is available under the drop-down menu (...): you can Make it protected. If you set an env var protected, you cannot see the value any longer, in fact, nobody can see it any longer, deleting it is the only option remaining. If you click the button, a popup appears warning you that this action is irreversible.

Please note that you have to save the page to make an environment variable protected. Protected env vars are indicated with a lock.

Code Signing tab

A similar option is available on Code Signing tab. For all the files uploaded here, you'll find Make protected under the drop-down menu (...):

Then comes the warning that this is irreversible from the moment you click the button, no Saving is required.

Making a file protected means that you cannot download it but only delete it.

Provisioning profiles
Provisioning profiles


Files in generc file storage
files in generc file storage

Happy secrecy! 🤐

No items found.
The Mobile DevOps Newsletter

Explore more topics

App Development

Learn how to optimize your mobile app deployment processes for iOS, Android, Flutter, ReactNative, and more

Bitrise & Community

Check out the latest from Bitrise and the community. Learn about the upcoming mobile events, employee spotlights, women in tech, and more

Mobile App Releases

Learn how to release faster, better apps on the App Store, Google Play Store, Huawei AppGallery, and other app stores

Mobile DevOps

Learn Mobile DevOps best practices such as DevOps for iOS, Android, and industry-specific DevOps tips for mobile engineers

Mobile Testing & Security

Learn how to optimize mobile testing and security — from automated security checks to robust mobile testing and more.

Product Updates

Check out the latest product updates from Bitrise — Build Insights updates, product news, and more.

The Mobile DevOps Newsletter

Join 1000s of your peers. Sign up to receive Mobile DevOps tips, news, and best practice guides once every two weeks.