Securing API key and Secret key in Android

Kishore

                                               Securing API key and Secret key in Android

The Android world is really vast, with overall 1.5 million users and over 2 million apps on the play store which helps the consumer to do a various task like booking flight ticket, ordering food, using the banking app to do transactions, making digital payment and what not. The apps really make the user job easier. But to build such great apps it should be integrated with different third party API’s, libraries and with the internal API which will require either API key or the client secret to be sent during the access.

Most of the time we work on the shared or public repository to check-in our code, how do we keep these keys secretly?. Hard code it in source code ? or keep it in values config file? If you feel the answer for both to be yes, then next question arises is are these key or secrets are safe enough? Mind you, as the code will be committed the keys are exposed and are at potential risk.

Is there a way to safeguard these secrets by not exposing it to the outer world? The answer is YES.

Wondering how? Ok, let me walk you all through with the steps below.

With the help of Gradle script in an android studio, we can keep these secrets in the environment variable, making sure the secret is only known to the machine which is creating the build, thus injecting these secrets during the build time. Let’s see how do we make this work.

Google Certified Agency

1.Edit the grade.properties file available at home directory.

Figure 1

Dump your keys which you want to hide it from source code.

2. Move onto the build.gradle(modules) file and define the variable as shown in the below image
def variableName = value ? : ’error message’
Figure 2

 

The syntax is simple. Define a variable using def word and base on the condition if the variable is not null assign the value else show the appropriate error message.

3. Set the grade variable as one shown in below image.

Figure 3
Term ‘buildConfigField’ will configure the variable in order to access to the project.

Term ‘manifestPlaceholders’ is used to make available variables in the manifest file for defining the keys for Facebook, Geo and Fabric keys and those can be accessed in AndroidManifest.XML file as below.

Figure 5

Note: Please sync the gradle file once you are done with your settings respectively. Once gradle get synced. A build folder is generated with folder ‘buildConfig’ (you can find at project—>app—>build—>generated—>source—>buildConfig) which is not editable. All your gradle variables are created in BuildConfig.java file as below.

Figure 4

That’s it 3 steps were all it required. Hold on we haven’t done yet. We will see how do we use the key in the code.
Import the BuildConfig class generated in the place where these key/secrets need to be injected. In this case, it’s the activity where the key/secrets are injected.

Figure 6

 

 

Figure 7

 

Include the required key here and value will be stored and injected where requested and we can make sure the secret keys are shared with the public or shared repositories and it is only with the concerned person.

Mobile App

about the author

Kishore

  1. Nageswararao CH

    February 1, 2017

    Good,Helpful for maintaining Keys and secure Information…….

  2. Amit Kumar

    February 2, 2017

    Still anyone can decompile the app and grab the keys.

  3. Kundan Kumar

    February 2, 2017

    nice .. very helpful

  4. Hardik Mehta

    April 27, 2017

    i tried your tutorial but google map not get displayed

  5. kushagra

    August 1, 2017

    This is not correct i can reverse the app and can show you the secret key very easily

    • Chirag Joshi

      September 25, 2017

      do you any way to secure such url and code in android project ?

  6. Trần Văn Thắng

    August 26, 2017

    when i decompiler i can see it, so how to securing it even i decompiler

  7. Vishal Bhandare

    October 5, 2017

    I am getting below errors while doing “sync now”

    Error:org.gradle.api.GradleException: Crashlytics Developer Tools error.
    Error:com.crashlytics.tools.android.exception.PluginException: Crashlytics Developer Tools error.
    Error:java.lang.IllegalArgumentException: Crashlytics found an invalid API key: {$FABRIC_KEY}.

  8. Vishal Bhandare

    October 5, 2017

    This tool easily breaks eveything
    http://www.javadecompilers.com

  9. wady baby

    November 4, 2017

    Yes can bee seen in reverse

  10. Ravi Pun

    November 15, 2017

    Sorry to tell you but this tutorial is the most confusing tutorial I have ever seen.
    Plus why don’t you include the actual text or code of the gradle files instead of screen-shots anyway.
    Tried to make it happen, but wasted my time entirely.