Android - Best way to hide API clientId & clientSecret

Question

I would like to have your opinion on the best way to hide an API key and secret key.

I found 2 ways :

• Use NDK like that : https://medium.com/@abhi007tyagi/storing-api-keys-using-android-ndk-6abb0adcadad
• Use Gradle like that : http://www.techjini.com/blog/securing-api-key-and-secret-key-in-android

I know that risk 0 does not exist but what is the most secure solution ?

Thank in advance

Answer 1

To hide secret keys in an Android app, we have developed a free open source alternative to Dexguard. Our hidden-secrets-gradle-plugin uses the NDK and XOR operator to obfuscate keys to prevent reverse engineering.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

Answer 2

If you are using oAuth to get a token you can setup a server with the client id and client secret on the your server. Your application gets the oAuth token from your server. This way you do not have to put the client id or client secret in your application that the user downloads and runs.

Answer 3

The best to secure the key is by not putting your keys in app, for that purpose if you are using a server that is highly secure (eg. Amazon Server) then put your keys on server and access them on run time. And also apply public/private encryption on both app and server side.

But if you want to stay with the app then using "NDK" or using "Proguard" both are highly secure mechanisms on app level.

Answer 4

The NDK seems like your best bet, although not being 100% secure, but it sure is hard to reverse engineer. The gradle way doesn't seem secure at all.

For obfuscation and encryption purposes, you could also take advantage of DexGuard.