Menu
In my app i am using many thirdparty APIs that require an API key and have quotas that I must not go over.
I am worried that someone decompling my app would be able to see these keys and use them.
How can I keep them hidden?
I am using proguard for obfuscation
735
As Mr. Hopkinson indicates, if your app is capable of passing the API key to the API, it is possible for somebody to obtain that key.
Ideally, the key would be tied to your apps signing key, as with many of Google's APIs (e.g., GCM, Maps V2), so that even if somebody obtained your API key, they could not use it as readily.
Beyond that, invest in DexGuard, the commercial extension to ProGuard that encrypts data in your app (resources, static strings, etc.). This can be broken, but it is tedious to do so. If the attacker really wants your API key, the attacker can get it. But, if this is more of a "casual" attack, the attacker may decide that it is not worth the effort and move on.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
