Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android - Best way to hide API clientId & clientSecret

I would like to have your opinion on the best way to hide an API key and secret key.

I found 2 ways :

  • Use NDK like that : https://medium.com/@abhi007tyagi/storing-api-keys-using-android-ndk-6abb0adcadad
  • Use Gradle like that : http://www.techjini.com/blog/securing-api-key-and-secret-key-in-android

I know that risk 0 does not exist but what is the most secure solution ?

Thank in advance

like image 595
Louis Avatar asked Jun 06 '17 17:06

Louis


2 Answers

The NDK seems like your best bet, although not being 100% secure, but it sure is hard to reverse engineer. The gradle way doesn't seem secure at all.

For obfuscation and encryption purposes, you could also take advantage of DexGuard.

like image 117
jsc Avatar answered Oct 06 '22 08:10

jsc


To hide secret keys in an Android app, we have developed a free open source alternative to Dexguard. Our hidden-secrets-gradle-plugin uses the NDK and XOR operator to obfuscate keys to prevent reverse engineering.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

like image 2
Ben-J Avatar answered Oct 06 '22 06:10

Ben-J