Menu
I have a Google MAPS API KEY which can easily be seen when you decompile my app by using reverse engineering. This is not good at all. Also, I am using a Weather API KEY in my source code accessing via string.
I found this website https://medium.com/@cassioso/a-strategy-to-secure-your-api-keys-using-gradle-b9c107272860
and wanted to ask you, if this article is recommended or do you have a better idea?
Does anyone have any experience concerning this issue?
I am using ProGuard, but ProGuard does NOT obfuscate AndroidManifest ( which is even not possible as far as I read ) and it also does not obfuscate any String API KEY ( I don't know why)
I don't have any experience with DexGuard.
Can you please tell me if this website is working or can you please give some more tips how to hide api keys in manifest and also in source code.
494
The only way to hide it is to proxy your request through your own server. Netlify Functions are a free way to add some simple backend code to a frontend app. This is this method I used while learning to program in college, where I needed to share my progress with my peer group without disclosing my API keys.
You generally don't need to hide the API key unless you are working with the above bold items in the Best Practice List.
There is no reason to hide your API key. They are parsed directly from the manifest. Was just going to comment, not answer, but comment was too long haha. so I guess I'll post as answer.
Why do you want to hide the API key? GMaps and Fabric and Firebase recommend you put directly into your Manfiest.
The website you posted simply puts it in the build.config file. You could also nest in environment variables and pull them in with Gradle, but what's the point. You are still pulling them into a file that will be generated and packaged with the APK. I'm happy to help you find a way to hide your keys, if you can explain your reasoning.
If it is really necessary you could always make it a remote API to pull first time and put in a DB and if it really needs to be secure you could use SQLCipher. Once stored you could load dynamically at runtime. I don't know how well this will work when the SDKs are parsing it from the manifest though.
It is common when you make an SDK to parse your key from the manifest file, so if it is intended to be loaded at runtime, the SDK would have to support that instead of relying on parsing it from the manifest.
So my recommendation is to leave it in manifest as normal visible API key. The package is unique to your app, the SDK will use the package and likely app secret with key nested in SDK to ensure all calls came from your app. So back to my original question. Why do you need to hide the API keys?
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
