How to hide translator API key in android

Question

I use yandex and google translate in my application and of course have unique API key, but everyone can steal it by decompiling my application. How can I hide it?

Answer 1

While you may not be able to achieve 150% security, you may want to take steps in your app to slow possible attackers down. This will result in some of them turning away from exploiting your application, simply because it is not worth the effort.

The OWASP Mobile Security Project has published their collection of "Top Ten Mobile Risks", of which especially the topics "Broken Cryptography" and "Lack Of Binary Protections" are interesting in your case. While even this link does not provide you with a simple "how to", I think it can help you to assess your situation.

Answer 2

If i were you i will rent a server (maybe amazon) and create a database and insert our api key with simple encrypted string (hash etc.).

ID - Name - androidKey - key

1 - GoogleAPI - AJKBSASHUA9 - yourAPIKey
2 - YandexAPI - 5A6S5D6A53C - yourAPIKey
.
.
.

Then you can create a service which is run by your android packageName;

http://example.com/API/getAPIKey/
?packageName="yourPackageName"
&androidKey="AJKBSASHUA9"

And if you use POST method it is safe for you.

Answer 3

Simply, you can't do that inside your APK at all or inside the application. If someone want to get it, they will get it.

• You are going to decipher them, I'll find the key inside the app.
• You are going to put them in the web and fetch them after installation, I'll root my phone and get them.

And why would you hide them on the first place, they are assigned with the SHA1 fingerprint of your [Release|Debug] keystore and your package name and no one can have your release keystore and its password.