Hide your production API key or any sensitive data in Android

Sharing is caring!

Hi everyone,

In this article, we are going to learn how to hide the production API key or any sensitive data to share with the app. In every application, we used many sensitive data like API key or app id or secret key to use in our app.  As we know this information/data is very sensitive for our app security. So we do not want to expose the API to others. We can use them locally to build but do not want to expose them in any public repository or any tool to help to get these data from reversing the code from the apk file.

Let’s learn about this and what approaches we can use to make this secure.

 1. Put your secrets in gradle.properties file and build the project to use byBuildConfig

As this very old approach to use our secrets in our app to hide to expose. We just need to our api key in a variable inside the gradle.properties.

Now set variable in build.gradle to access it in activity or fragment. Add below code to buildTypes {}.

buildTypes.each {
    it.buildConfigField 'String', 'AP_KEY', MY_API_KEY
}

Now you can access this key from once your project build successfully. You can get access like this.

BuildConfig.AP_KEY

Note: This approach is only not to expose the API key from version control to hide but still someone can find out to use your app and do the Decompiler to allow to view.

 

2. Put your secrets in local.propertiesfile and use Secrets Gradle plugin

This is one approach we can use to not share our secret information with others and also make sure it is ignored by your version control system. We need to add this file in the .gitignore file to not track by a git or any version control. Just open the .gitignore file and see it is found there.

Now we need to use the secret gradlle plugins to use you api key. Please add this plugin to your project’s root build.gradle file.

buildscript {
dependencies {
id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin' version '2.0.1' apply false
}
}

And now you need to add the plugin in app level build.gradle file.

plugins {
    ...
    id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin'
}

Ok all done, Now you can use this api key in your Android Manifest file or by program to get from package manager to use in your any class.

 <application
        android:allowBackup="true" 
        .....
                                     >
    <activity>
      ....
    </activity>
      <meta-data
            android:name="MY_API_KEY_NAME"     /// name coould be anything as per your need
            android:value="${MY_API_KEY}"/>    /// Write the name you gave inside your local.properties file
</application>

Or we can use package manger to get access from any file.

val applicationInfo: ApplicationInfo = application.packageManager
                .getApplicationInfo(application.packageName, PackageManager.GET_META_DATA)
val apiKey = applicationInfo.metaData["MY_API_KEY_NAME"]

Note: This approach is only not to expose the API key from version control to hide but still someone can find out to use your app and do the Decompiler to allow to view.

To avoid this issue, there are many ways to handle it for example we need to store the api key on Github secrets or save on server or use local file to encrypt the content at runtime by using gradle task and restore the file to use. That is all.

 

0 0 votes
Article Rating
Hide your production API key or any sensitive data in Android
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
Scroll to top
0
Would love your thoughts, please comment.x
()
x