Reputation: 589
Secure way of storing Secret credentials
I have an android app, which I want to deploy for commercial use. I am using aws secret credentials, currently I have hardcoded it in the code.
Is there any safe way of deploying the Android app ,by passing credentials as external parameters. Just like what we do in server app, passing credentials as Environment variables.I don't want to have secret keys open in my code base.
I wanted to know if there is any way to do something similar in android app.
Upvotes: 5
Views: 3258
Answers (4)
Reputation: 921
Here is what I did with mine.
First, I created a global gradle.properties file under ~\.gradle. Note that it's in my user folder, not the project's root directory, because that one must be included in git.
Then, I wrote my key there like this:
apiKey=83hfidf8uf
In my app module's build.gradle.kts:
I referenced the key by using this property delegate:
val apiKey: String by project
Note that the gradle.properties key and the build.gradle.kts variable name must be the same.
Then, I added this to my defaultConfig
buildConfigField("String", "API_KEY", apiKey)
Then, I added this to my buildFeatures
buildConfig = true
Then, I reference it in my source code like this
BuildConfig.API_KEY
Upvotes: 0
Reputation: 589
I found out the following method to pass creds as Envirnoment Variables to apk while building. These will be stored as build variable.
In your project directory create a gradle.properties file and add your credentials:
AWS_CRED=aws_cred
In your gradle build file, under android add the following:
android {
defaultConfig{
manifestPlaceholders=[AWS_CRED:AWS_CRED]
}
}
What this does is, it will pass the build variables to your android manifest. Now go to AndroidManifest.xml and under the tag add the following:
<application
<meta-data
android:name="AWS_CRED"
android:value="${AWS_CRED}" />
</application>
Now access the value of in any java code, as below:
applicationInfo = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), PackageManager.GET_META_DATA);
This method worked for me, Please comment if anyone knows a better way to do it.
Upvotes: 0
Reputation: 1231
I would use the same principle of Environment variables but through Gradle.
The idea is that you should have a gradle.properties file in your User folder where Gradle can pickup properties from. This file, of course, will not be added to source control.
you can do something like this
~/.gradle/gradle.properties
projectAwsCred1=cred1
projectAwsCred2=cred2
build.gradle (app)
...
buildConfigField "String", "AWS_CRED_1", "\"projectAwsCred1\""
buildConfigField "String", "AWS_CRED_2", "\"projectAwsCred2\""
and then (after building) you can call it in your code like normal Build.AWS_CRED_1
This way your credentials will be baked in your app but only on build time. You will of course have to document this in a README so others (or future you) will know were o place the projectAwsCred* info.
Upvotes: 6
Reputation: 903
There are several methods to do this depending on your setup. Probably the most secure method would be to have your application instances assume a role with the permissions that are needed so you don't need to store your credentials at all.
Further reading should be enough to get you started: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
Upvotes: 0
Related Questions
- Android: Storing username and password?
- How to securely store credentials (password) in Android application?
- Saving credentials in my app with Firebase UI
- Using Firebase Authentication but need to improve security
- Storing secrets and credentials inside of an Android App
- Storing credentials in the Android app
- Securely store Android Firebase Auth users in a MySQL database
- Android login and storing with firebase
- Storing username and password in Android app
- Securely storing credentials