Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where to store sensitive global information such as API keys in Android application?

Tags:

android

security

android-resources

I need to store some sensitive information in an Android application. If I put it in a resource file, it appears that it is trivial for another app to be able to browse and read that file simply by using PackageManager.getResourcesForApplication().

Where is the correct place to put information like this that we don't want people to be able to easily snoop?

Should it be in a compiled java file? Or are classfiles also easily readable? Also, if they're in java files, is it possible to reference them from XML files that need them (eg. for the google maps api key)?

like image 347
emmby Avatar asked Sep 17 '12 18:09

emmby

People also ask

Where should you store sensitive credentials like API keys?

Don't store your API key directly in your code. Instead, store your API key and secret directly in your environment variables. Environment variables are dynamic objects whose values are set outside of the application. This will let you access them easily (by using the os.

Where can we store sensitive data in Android?

In general sensitive data stored locally on the device should always be at least encrypted, and any keys used for encryption methods should be securely stored within the Android Keystore. These files should also be stored within the application sandbox.

Where should API keys be stored?

Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.

2 Answers

Your APK will be retrieved from the device and torn apart anyway. (After all, some devices are rooted.) Whatever you hardcode there, no matter where, will be found and extracted. Of course, if the potential gain substantiates the effort. Otherwise, security by obscurity, such as obfuscation, may be the way to go.

Handling real secrets should be based on some sort of input, notably passwords.

Happily, API keys, if used as they are supposed to, are not necessarily a real secret.

like image 98
full.stack.ex Avatar answered Sep 20 '22 03:09

full.stack.ex

Google has some good recommendations on this under billing. To summarize: use remote server, obfuscate and use secure random nonces. Nothing is safe in your apk as it always can be reverse engineered and obfuscation only works against simple attacks.

like image 27
Warpzit Avatar answered Sep 23 '22 03:09

Warpzit
Sign in to Comment

Related questions

How to apply dynamic alpha mask to a Text on Android
Android - recover from low memory condition
Android APK's Silent Installation
Android developer console takes ages to update?
How to read csv file in android? [duplicate]
Video recording to a circular buffer on Android
Android - SQLite Cursor getColumnIndex() is case sensitive?
Gen folder is empty for Android project
adding dynamic view using WindowManager.addView
Android: Layout Files Margin/Padding Shortcuts
android "layout_alignParentBottom" in relative layout
How can I change the application package name for an Android app via command line
Android: Google SSO - OAuth or AccountManager? Or both?
Display paging control with white dots on the top android
How avoid returning to login layout pressing the back button/key?
How to convert 16-bit PCM audio byte-array to double or float array?
Android: NAT Traversal?
Take Picture without preview Android
Can't find suitable example for android 2d opengl sprite class which does not use GL11Ext for drawing
Maven build Android application - BuildConfig

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!