Secure way of storing Secret credentials

Question

I have an android app, which I want to deploy for commercial use. I am using aws secret credentials, currently I have hardcoded it in the code.

Is there any safe way of deploying the Android app ,by passing credentials as external parameters. Just like what we do in server app, passing credentials as Environment variables.I don't want to have secret keys open in my code base.

I wanted to know if there is any way to do something similar in android app.

Answer 1

I would use the same principle of Environment variables but through Gradle.

The idea is that you should have a gradle.properties file in your User folder where Gradle can pickup properties from. This file, of course, will not be added to source control.

you can do something like this

~/.gradle/gradle.properties

projectAwsCred1=cred1
projectAwsCred2=cred2

build.gradle (app)

...
buildConfigField "String", "AWS_CRED_1", "\"projectAwsCred1\""
buildConfigField "String", "AWS_CRED_2", "\"projectAwsCred2\""

and then (after building) you can call it in your code like normal Build.AWS_CRED_1

This way your credentials will be baked in your app but only on build time. You will of course have to document this in a README so others (or future you) will know were o place the projectAwsCred* info.