Home security How To Secure Api Keys And Data From Reverse Engineering In Android

How To Secure Api Keys And Data From Reverse Engineering In Android

by pratheep kanati

Securing API key and Data in Android

The Android world is really vast, with millions of users and over millions of apps on the play store, helping users to do a variety of tasks, such as booking a flight ticket, ordering food, using the banking app to make transactions, making digital payments and not

The apps really make it easier for the user to work. But in order to build such great apps, it should be integrated with various third-party APIs, libraries and the internal API that will require either API key or client secret to be sent during access.

Most of the time we work on the shared or public repository to check in our code, how do we secretly keep those keys? Do you have hard code in the source code? Or keep it in the config file of values? If you feel the answer is yes to both, then the next question arises is whether these key or secrets are sufficiently safe? Remember, the keys are exposed and are at potential risk as the code will be committed.

There are many applications that can easily decompile you by reverse engineering even if you are obstructing using progaurd. It only saves to some extent. We can’t avoid 100 percent reverse engineering. So you’re easily exposed to other data.

Is there a way to safeguard these secrets by not exposing it to the outer world? The answer is YES.

How do you wonder? Okay, let me walk the steps below through you all.

Using Gradle script in an android studio, we can keep these secrets variable in the environment, making sure that the secret is known only to the machine that creates the build, thereby injecting these secrets during the construction period. Let’s see how we’re doing this job.

1.Create ‘secrete.properties’ file in Root of The Project:

Paste your keys which you want to hide it from source code.

2.Then Go to App ‘build.gradle’ file

Then Write Above Code According To Your Requirement Above dependencies tag

And Then Write below code in side the debug and release tags  as shown in the fig below

After Write This Now Build The Project

Write Above code which You Want To Access The Keys Inside The Manifesto and Build Project.

That’s All Implementations Is Completed

3.How To Access the Keys Inside The project.

Above Figure Shows How to access the key inside the AndroidManifest.xml  To Access the key we cant specify the key in build.gradle manifestPlaceHolder Tag else It will fails when you not mention in it.

The above fig shows the using the keys in side the java class

Thus We can Store The Key Securely And Access When We require.

2 comments

ramya September 12, 2019 - 3:31 pm

why not in gradle-properties, why you are created new file

Reply
pratheep kanati September 13, 2019 - 4:52 pm

Yaa you can create

Reply

Leave a Reply

%d bloggers like this: