Reputation: 1875
Hide API Key in Manifest and in source code android
I have a Google MAPS API KEY which can easily be seen when you decompile my app by using reverse engineering. This is not good at all. Also, I am using a Weather API KEY in my source code accessing via string.
I found this website https://medium.com/@cassioso/a-strategy-to-secure-your-api-keys-using-gradle-b9c107272860
and wanted to ask you, if this article is recommended or do you have a better idea?
Does anyone have any experience concerning this issue?
I am using ProGuard, but ProGuard does NOT obfuscate AndroidManifest ( which is even not possible as far as I read ) and it also does not obfuscate any String API KEY ( I don't know why)
I don't have any experience with DexGuard.
Can you please tell me if this website is working or can you please give some more tips how to hide api keys in manifest and also in source code.
Upvotes: 11
Views: 4833
Answers (1)
Reputation: 5392
There is no reason to hide your API key. They are parsed directly from the manifest. Was just going to comment, not answer, but comment was too long haha. so I guess I'll post as answer.
Why do you want to hide the API key? GMaps and Fabric and Firebase recommend you put directly into your Manfiest.
The website you posted simply puts it in the build.config file. You could also nest in environment variables and pull them in with Gradle, but what's the point. You are still pulling them into a file that will be generated and packaged with the APK. I'm happy to help you find a way to hide your keys, if you can explain your reasoning.
If it is really necessary you could always make it a remote API to pull first time and put in a DB and if it really needs to be secure you could use SQLCipher. Once stored you could load dynamically at runtime. I don't know how well this will work when the SDKs are parsing it from the manifest though.
It is common when you make an SDK to parse your key from the manifest file, so if it is intended to be loaded at runtime, the SDK would have to support that instead of relying on parsing it from the manifest.
So my recommendation is to leave it in manifest as normal visible API key. The package is unique to your app, the SDK will use the package and likely app secret with key nested in SDK to ensure all calls came from your app. So back to my original question. Why do you need to hide the API keys?
Upvotes: 9
Related Questions
- Protect your API KEYS from Reverse Engineering Android
- Hide Google Maps API key from source control in a Flutter app
- How to securely use Google Map API key on Android?
- How can I hide my Google Maps API Key when sharing my code on github?
- How to secure/hide the API Key
- How to obfuscate API KEYS in AndroidManifest Android
- How to hide translator API key in android
- How to hide API Keys in Android
- How can I make my API key hidden so that anyone decompling my app wouldn't see it?
- Hiding API key in code (Python)