I am developing a Flutter application that uses the Google Drive API via Google Cloud Console and OAuth 2.0 to access and store user data on their Google Drive.

On Windows, I noticed that I need to store the Client ID and Client Secret inside the application, but according to the documentation, these credentials must be kept hidden. Since my app is not running in a secure environment, I currently store them as environment variables.

I have several questions regarding security: 1. What are the risks if someone gets access to my Google Cloud Client ID & Secret? 2. Can an attacker gain access to users’ Google Drive data if they obtain these credentials? 3. What are the best practices for securely storing the Client ID & Secret, considering that the application runs in an untrusted environment? 4. Would it be possible to mitigate this issue by using a backend? If so, how?

Packages I am using: • googleapis: 13.2.0 • extension_google_sign_in_as_googleapis_auth: 2.0.12

Any insights or recommendations would be greatly appreciated!