Hide your production API key or any sensitive data in Android
Hi everyone,
In this article, we are going to learn how to hide the production API key or any sensitive data to share with the app. In every application, we used many sensitive data like API key or app id or secret key to use in our app. As we know this information/data is very sensitive for our app security. So we do not want to expose the API to others. We can use them locally to build but do not want to expose them in any public repository or any tool to help to get these data from reversing the code from the apk file.
Let’s learn about this and what approaches we can use to make this secure.
 1. Put your secrets in gradle.properties
file and build the project to use byBuildConfig
As this very old approach to use our secrets in our app to hide to expose. We just need to our api key in a variable inside the gradle.properties
.
Now set variable in build.gradle
to access it in activity or fragment. Add below code to buildTypes {}.
buildTypes.each { it.buildConfigField 'String', 'AP_KEY', MY_API_KEY }
Now you can access this key from once your project build successfully. You can get access like this.
BuildConfig.AP_KEY
Note: This approach is only not to expose the API key from version control to hide but still someone can find out to use your app and do the Decompiler to allow to view.
2. Put your secrets in local.properties
file and use Secrets Gradle plugin
This is one approach we can use to not share our secret information with others and also make sure it is ignored by your version control system. We need to add this file in the .gitignore
file to not track by a git or any version control. Just open the .gitignore
file and see it is found there.
Now we need to use the secret gradlle plugins to use you api key. Please add this plugin to your project’s root build.gradle
file.
buildscript { dependencies { id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin' version '2.0.1' apply false } }
And now you need to add the plugin in app level build.gradle
file.
plugins { ... id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin' }
Ok all done, Now you can use this api key in your Android Manifest file or by program to get from package manager to use in your any class.
<application android:allowBackup="true" ..... > <activity> .... </activity> <meta-data android:name="MY_API_KEY_NAME" /// name coould be anything as per your need android:value="${MY_API_KEY}"/> /// Write the name you gave inside your local.properties file </application>
Or we can use package manger to get access from any file.
val applicationInfo: ApplicationInfo = application.packageManager .getApplicationInfo(application.packageName, PackageManager.GET_META_DATA) val apiKey = applicationInfo.metaData["MY_API_KEY_NAME"]
Note: This approach is only not to expose the API key from version control to hide but still someone can find out to use your app and do the Decompiler to allow to view.
To avoid this issue, there are many ways to handle it for example we need to store the api key on Github secrets or save on server or use local file to encrypt the content at runtime by using gradle task and restore the file to use. That is all.
I am a very enthusiastic Android developer to build solid Android apps. I have a keen interest in developing for Android and have published apps to the Google Play Store. I always open to learning new technologies. For any help drop us a line anytime at contact@mobologicplus.com