Securing API key and Data in Android
The Android world is really vast, with millions of users and over millions of apps on the play store, helping users to do a variety of tasks, such as booking a flight ticket, ordering food, using the banking app to make transactions, making digital payments and not
The apps really make it easier for the user to work. But in order to build such great apps, it should be integrated with various third-party APIs, libraries and the internal API that will require either API key or client secret to be sent during access.
Most of the time we work on the shared or public repository to check in our code, how do we secretly keep those keys? Do you have hard code in the source code? Or keep it in the config file of values? If you feel the answer is yes to both, then the next question arises is whether these key or secrets are sufficiently safe? Remember, the keys are exposed and are at potential risk as the code will be committed.
There are many applications that can easily decompile you by reverse engineering even if you are obstructing using progaurd. It only saves to some extent. We can’t avoid 100 percent reverse engineering. So you’re easily exposed to other data.
Is there a way to safeguard these secrets by not exposing it to the outer world? The answer is YES.
How do you wonder? Okay, let me walk the steps below through you all.
Using Gradle script in an android studio, we can keep these secrets variable in the environment, making sure that the secret is known only to the machine that creates the build, thereby injecting these secrets during the construction period. Let’s see how we’re doing this job.
1.Create ‘secrete.properties’ file in Root of The Project:
Paste your keys which you want to hide it from source code.
2.Then Go to App ‘build.gradle’ file
Then Write Above Code According To Your Requirement Above dependencies tag
After Write This Now Build The Project
Write Above code which You Want To Access The Keys Inside The Manifesto and Build Project.
That’s All Implementations Is Completed
3.How To Access the Keys Inside The project.
Above Figure Shows How to access the key inside the AndroidManifest.xml To Access the key we cant specify the key in build.gradle manifestPlaceHolder Tag else It will fails when you not mention in it.
The above fig shows the using the keys in side the java class
Thus We can Store The Key Securely And Access When We require.