Securing API key and Data in Android
The Android world is really vast, with millions of users and over millions of apps on the play store, helping users to do a variety of tasks, such as booking a flight ticket, ordering food, using the banking app to make transactions, making digital payments and not
The apps really make it easier for the user to work. But in order to build such great apps, it should be integrated with various third-party APIs, libraries and the internal API that will require either API key or client secret to be sent during access.
Most of the time we work on the shared or public repository to check in our code, how do we secretly keep those keys? Do you have hard code in the source code? Or keep it in the config file of values? If you feel the answer is yes to both, then the next question arises is whether these key or secrets are sufficiently safe? Remember, the keys are exposed and are at potential risk as the code will be committed.
There are many applications that can easily decompile you by reverse engineering even if you are obstructing using progaurd. It only saves to some extent. We can’t avoid 100 percent reverse engineering. So you’re easily exposed to other data.
Is there a way to safeguard these secrets by not exposing it to the outer world? The answer is YES.
How do you wonder? Okay, let me walk the steps below through you all.
Using Gradle script in an android studio, we can keep these secrets variable in the environment, making sure that the secret is known only to the machine that creates the build, thereby injecting these secrets during the construction period. Let’s see how we’re doing this job.
1.Create ‘secrete.properties’ file in Root of The Project:

Paste your keys which you want to hide it from source code.
TMDB_API_KEY=yourkeys | |
FACEBOOK_API_KEY=yourkeys | |
NEWS_URL=http://www.yoursite.com/?tag=jrntr | |
IMAGE_URL=http://www.yoursite.com/images/ | |
ARTICLE_URL=http://www.yoursite.com/?url= |
2.Then Go to App ‘build.gradle’ file

Then Write Above Code According To Your Requirement Above dependencies tag
static def getArticleUrl() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['ARTICLE_URL'] | |
} | |
static def getTMDBApiKey() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['TMDB_API_KEY'] | |
} | |
static def getFACEBOOKApiKey() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['FACEBOOK_API_KEY'] | |
} | |
static def getNewsURL() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['NEWS_URL'] | |
} | |
static def getImageURL() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['IMAGE_URL'] | |
} |

After Write This Now Build The Project
buildTypes { | |
release { | |
minifyEnabled true | |
shrinkResources true | |
//proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' | |
debuggable false | |
jniDebuggable false | |
renderscriptDebuggable false | |
pseudoLocalesEnabled false | |
zipAlignEnabled true | |
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"") | |
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"") | |
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"") | |
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"") | |
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"") | |
} | |
debug { | |
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"") | |
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"") | |
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"") | |
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"") | |
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"") | |
} | |
} |

Write Above code which You Want To Access The Keys Inside The Manifesto and Build Project.
defaultConfig { | |
applicationId "com.pradeep.ntr" | |
minSdkVersion 19 | |
targetSdkVersion 26 | |
versionCode 12 | |
versionName "2.1" | |
testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner" | |
multiDexEnabled true | |
//we can delclare the key inside the place holder to access key in android manifest | |
manifestPlaceholders = [FACEBOOK_API_KEY:'FACEBOOK_API_KEY' | |
] | |
resConfigs "en" | |
} |
That’s All Implementations Is Completed
apply plugin: 'com.android.application' | |
apply plugin: 'org.greenrobot.greendao' | |
android { | |
compileSdkVersion 26 | |
buildToolsVersion '27.0.2' | |
defaultConfig { | |
applicationId "com.pradeep.ntr" | |
minSdkVersion 19 | |
targetSdkVersion 26 | |
versionCode 12 | |
versionName "2.1" | |
testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner" | |
multiDexEnabled true | |
manifestPlaceholders = [FACEBOOK_API_KEY:'FACEBOOK_API_KEY' | |
] | |
resConfigs "en" | |
} | |
buildTypes { | |
release { | |
minifyEnabled true | |
shrinkResources true | |
//proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' | |
debuggable false | |
jniDebuggable false | |
renderscriptDebuggable false | |
pseudoLocalesEnabled false | |
zipAlignEnabled true | |
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"") | |
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"") | |
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"") | |
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"") | |
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"") | |
} | |
debug { | |
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"") | |
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"") | |
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"") | |
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"") | |
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"") | |
} | |
} | |
} | |
static def getArticleUrl() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['ARTICLE_URL'] | |
} | |
static def getTMDBApiKey() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['TMDB_API_KEY'] | |
} | |
static def getFACEBOOKApiKey() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['FACEBOOK_API_KEY'] | |
} | |
static def getNewsURL() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['NEWS_URL'] | |
} | |
static def getImageURL() { | |
def Properties props = new Properties() | |
props.load(new FileInputStream(new File('secrets.properties'))) | |
return props['IMAGE_URL'] | |
} | |
dependencies { | |
compile fileTree(include: ['*.jar'], dir: 'libs') | |
androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', { | |
exclude group: 'com.android.support', module: 'support-annotations' | |
}) | |
ext { | |
frescoVersion = '1.2.0' } | |
compile files('libs/ViewpagerAnimation.jar') | |
compile files('libs/YouTubeAndroidPlayerApi.jar') | |
compile project(':frescoimageviewers') | |
compile files('libs/jsoup-1.7.1.jar') | |
compile project(':MaterialSearchView') | |
compile project(':swipbacklib') | |
compile 'com.nineoldandroids:library:2.4.0' | |
compile 'com.squareup.picasso:picasso:2.3.2' | |
compile 'com.daimajia.slider:library:[email protected]' | |
compile 'com.android.volley:volley:1.0.0' | |
compile 'com.facebook.android:facebook-android-sdk:4.23.0' | |
compile 'com.android.support:appcompat-v7:27.0.2' | |
compile 'com.android.support:design:27.0.2' | |
compile 'com.android.support:recyclerview-v7:27.0.2' | |
compile 'com.android.support:support-v4:27.0.2' | |
compile 'com.android.support:cardview-v7:27.0.2' | |
compile 'com.android.support:customtabs:27.0.2' | |
} | |
uploadArchives.enabled = false | |
apply plugin: 'com.google.gms.google-services' |
3.How To Access the Keys Inside The project.

Above Figure Shows How to access the key inside the AndroidManifest.xml To Access the key we cant specify the key in build.gradle manifestPlaceHolder Tag else It will fails when you not mention in it.

The above fig shows the using the keys in side the java class
String facebookKey=BuildConfig.FACEBOOK_APP_KEY; | |
String tmdKey=BuildConfig.TMDB_API_KEY; | |
String imgURL=BuildConfig.IMAGE_URL; |
Thus We can Store The Key Securely And Access When We require.
why not in gradle-properties, why you are created new file
Yaa you can create