Where to store sensitive global information such as API keys in Android application?

Question

I need to store some sensitive information in an Android application. If I put it in a resource file, it appears that it is trivial for another app to be able to browse and read that file simply by using PackageManager.getResourcesForApplication().

Where is the correct place to put information like this that we don't want people to be able to easily snoop?

Should it be in a compiled java file? Or are classfiles also easily readable? Also, if they're in java files, is it possible to reference them from XML files that need them (eg. for the google maps api key)?

Answer 1

Google has some good recommendations on this under billing. To summarize: use remote server, obfuscate and use secure random nonces. Nothing is safe in your apk as it always can be reverse engineered and obfuscation only works against simple attacks.

Answer 2

if you just want to deny access to your data from other applications, you can use SharedPreferences. Just use Contex.getSharedPreferences(/prefs file name/, Context.MODE_PRIVATE); According to documentation MODE_PRIVATE means that the created file can only be accessed by the calling application (or all applications sharing the same user ID).

Answer 3

Your APK will be retrieved from the device and torn apart anyway. (After all, some devices are rooted.) Whatever you hardcode there, no matter where, will be found and extracted. Of course, if the potential gain substantiates the effort. Otherwise, security by obscurity, such as obfuscation, may be the way to go.

Handling real secrets should be based on some sort of input, notably passwords.

Happily, API keys, if used as they are supposed to, are not necessarily a real secret.