Home security How To Secure Api Keys And Data From Reverse Engineering In Android

How To Secure Api Keys And Data From Reverse Engineering In Android

by pratheep kanati

Securing API key and Data in Android

The Android world is really vast, with millions of users and over millions of apps on the play store, helping users to do a variety of tasks, such as booking a flight ticket, ordering food, using the banking app to make transactions, making digital payments and not

The apps really make it easier for the user to work. But in order to build such great apps, it should be integrated with various third-party APIs, libraries and the internal API that will require either API key or client secret to be sent during access.

Most of the time we work on the shared or public repository to check in our code, how do we secretly keep those keys? Do you have hard code in the source code? Or keep it in the config file of values? If you feel the answer is yes to both, then the next question arises is whether these key or secrets are sufficiently safe? Remember, the keys are exposed and are at potential risk as the code will be committed.

There are many applications that can easily decompile you by reverse engineering even if you are obstructing using progaurd. It only saves to some extent. We can’t avoid 100 percent reverse engineering. So you’re easily exposed to other data.

Is there a way to safeguard these secrets by not exposing it to the outer world? The answer is YES.

How do you wonder? Okay, let me walk the steps below through you all.

Using Gradle script in an android studio, we can keep these secrets variable in the environment, making sure that the secret is known only to the machine that creates the build, thereby injecting these secrets during the construction period. Let’s see how we’re doing this job.

1.Create ‘secrete.properties’ file in Root of The Project:

Paste your keys which you want to hide it from source code.

TMDB_API_KEY=yourkeys
FACEBOOK_API_KEY=yourkeys
NEWS_URL=http://www.yoursite.com/?tag=jrntr
IMAGE_URL=http://www.yoursite.com/images/
ARTICLE_URL=http://www.yoursite.com/?url=
view raw secret.properties hosted with ❤ by GitHub

2.Then Go to App ‘build.gradle’ file

Then Write Above Code According To Your Requirement Above dependencies tag

static def getArticleUrl() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['ARTICLE_URL']
}
static def getTMDBApiKey() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['TMDB_API_KEY']
}
static def getFACEBOOKApiKey() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['FACEBOOK_API_KEY']
}
static def getNewsURL() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['NEWS_URL']
}
static def getImageURL() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['IMAGE_URL']
}
view raw build.gradle hosted with ❤ by GitHub
And Then Write below code in side the debug and release tags  as shown in the fig below

After Write This Now Build The Project

buildTypes {
release {
minifyEnabled true
shrinkResources true
//proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
debuggable false
jniDebuggable false
renderscriptDebuggable false
pseudoLocalesEnabled false
zipAlignEnabled true
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"")
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"")
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"")
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"")
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"")
}
debug {
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"")
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"")
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"")
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"")
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"")
}
}
view raw build hosted with ❤ by GitHub

Write Above code which You Want To Access The Keys Inside The Manifesto and Build Project.

defaultConfig {
applicationId "com.pradeep.ntr"
minSdkVersion 19
targetSdkVersion 26
versionCode 12
versionName "2.1"
testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
multiDexEnabled true
//we can delclare the key inside the place holder to access key in android manifest
manifestPlaceholders = [FACEBOOK_API_KEY:'FACEBOOK_API_KEY'
]
resConfigs "en"
}
view raw build.gradle hosted with ❤ by GitHub

That’s All Implementations Is Completed

apply plugin: 'com.android.application'
apply plugin: 'org.greenrobot.greendao'
android {
compileSdkVersion 26
buildToolsVersion '27.0.2'
defaultConfig {
applicationId "com.pradeep.ntr"
minSdkVersion 19
targetSdkVersion 26
versionCode 12
versionName "2.1"
testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
multiDexEnabled true
manifestPlaceholders = [FACEBOOK_API_KEY:'FACEBOOK_API_KEY'
]
resConfigs "en"
}
buildTypes {
release {
minifyEnabled true
shrinkResources true
//proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
debuggable false
jniDebuggable false
renderscriptDebuggable false
pseudoLocalesEnabled false
zipAlignEnabled true
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"")
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"")
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"")
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"")
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"")
}
debug {
buildConfigField("String", "TMDB_API_KEY", "\"" + getTMDBApiKey() + "\"")
buildConfigField("String", "FACEBOOK_API_KEY", "\"" + getFACEBOOKApiKey() + "\"")
buildConfigField("String", "NEWS_URL", "\"" + getNewsURL() + "\"")
buildConfigField("String", "IMAGE_URL", "\"" + getImageURL() + "\"")
buildConfigField("String", "ARTICLE_URL", "\"" + getArticleUrl() + "\"")
}
}
}
static def getArticleUrl() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['ARTICLE_URL']
}
static def getTMDBApiKey() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['TMDB_API_KEY']
}
static def getFACEBOOKApiKey() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['FACEBOOK_API_KEY']
}
static def getNewsURL() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['NEWS_URL']
}
static def getImageURL() {
def Properties props = new Properties()
props.load(new FileInputStream(new File('secrets.properties')))
return props['IMAGE_URL']
}
dependencies {
compile fileTree(include: ['*.jar'], dir: 'libs')
androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', {
exclude group: 'com.android.support', module: 'support-annotations'
})
ext {
frescoVersion = '1.2.0' }
compile files('libs/ViewpagerAnimation.jar')
compile files('libs/YouTubeAndroidPlayerApi.jar')
compile project(':frescoimageviewers')
compile files('libs/jsoup-1.7.1.jar')
compile project(':MaterialSearchView')
compile project(':swipbacklib')
compile 'com.nineoldandroids:library:2.4.0'
compile 'com.squareup.picasso:picasso:2.3.2'
compile 'com.daimajia.slider:library:1.1.5@aar'
compile 'com.android.volley:volley:1.0.0'
compile 'com.facebook.android:facebook-android-sdk:4.23.0'
compile 'com.android.support:appcompat-v7:27.0.2'
compile 'com.android.support:design:27.0.2'
compile 'com.android.support:recyclerview-v7:27.0.2'
compile 'com.android.support:support-v4:27.0.2'
compile 'com.android.support:cardview-v7:27.0.2'
compile 'com.android.support:customtabs:27.0.2'
}
uploadArchives.enabled = false
apply plugin: 'com.google.gms.google-services'

3.How To Access the Keys Inside The project.

Above Figure Shows How to access the key inside the AndroidManifest.xml  To Access the key we cant specify the key in build.gradle manifestPlaceHolder Tag else It will fails when you not mention in it.

The above fig shows the using the keys in side the java class

String facebookKey=BuildConfig.FACEBOOK_APP_KEY;
String tmdKey=BuildConfig.TMDB_API_KEY;
String imgURL=BuildConfig.IMAGE_URL;
view raw Example hosted with ❤ by GitHub

Thus We can Store The Key Securely And Access When We require.

2 comments

ramya September 12, 2019 - 3:31 pm

why not in gradle-properties, why you are created new file

Reply
pratheep kanati September 13, 2019 - 4:52 pm

Yaa you can create

Reply

Leave a Reply

%d bloggers like this: