| Version | Supported |
|---|---|
| 1.0.x | β Yes |
| < 1.0 | β No |
If you discover a security vulnerability in QuitEase, please do NOT open a public GitHub issue.
Report privately via:
- GitHub: Use the Private Security Advisory feature
- Email: Contact the maintainer directly via GitHub profile
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if known)
You will receive a response within 48 hours. We take all reports seriously.
| Method | Implementation | Notes |
|---|---|---|
| Google Sign-In | Firebase Auth + google_sign_in v7 |
OAuth 2.0, ID token flow |
| Anonymous | Firebase signInAnonymously() |
Guest mode β prompts to link |
| Account Linking | linkWithCredential() |
Preserves all progress |
| Data Type | Storage Location | Protection |
|---|---|---|
| User profile | Cloud Firestore | Firebase Auth UID scoped (apply rules below) |
| Smoking stats | SharedPreferences |
App sandbox |
| Session state | GetStorage |
App sandbox |
| Credentials | Never stored | OAuth flow only |
| Tokens | Firebase Auth SDK | Managed by SDK, not app code |
β NEVER store in code: API keys, OAuth client IDs, Firebase keys
β
Use: .env (local only, gitignored)
β
In CI/CD: GitHub Actions Secrets / environment variables
See .env.example for the complete list of required variables.
| Variable | Source |
|---|---|
FIREBASE_ANDROID_API_KEY |
Firebase Console |
FIREBASE_WEB_API_KEY |
Firebase Console |
FIREBASE_ANDROID_APP_ID |
Firebase Console |
FIREBASE_PROJECT_ID |
Firebase Console |
GOOGLE_SERVER_CLIENT_ID |
Google Cloud Console |
The app uses flutter_dotenv to load .env:
// In main.dart β add before runApp()
await dotenv.load(fileName: ".env");// Reading a value
final clientId = dotenv.env['GOOGLE_SERVER_CLIENT_ID'] ?? '';Setup:
# Copy the template
cp .env.example .env
# Fill in your values in .envLast reviewed: February 2026 β QuitEase v1.0.0