How to secure Fabric API Key from APK decompilation?

Question

While decompiling my android app APK file, I have found the fabric ApiKey key in manifest file. How to secure Fabric API Key from APK decompilation?

I have done following code changes for hiding Fabric API key from manifest file. But still it is visible after APK decompilation.

I added my fabric API key

FabricAPIKey=0123456789ABCDEF012345123456789ABCDEF012 in gradle.properties.

In build.gradle(Module)

...........
def FABRIC_API_ID = FabricAPIKey

    .....
    buildTypes {
            debug {
                ..........
                manifestPlaceholders  = [//this is used for defining the variable for manifest file
                    FABRIC_API_KEY:FABRIC_API_ID
                 ]
            }
    release{ ..........
                manifestPlaceholders  = [//this is used for defining the variable for manifest file
                    FABRIC_API_KEY:FABRIC_API_ID
                 ]
            }

And in AndroidManifest.xml

<meta-data
            android:name="io.fabric.ApiKey"
            android:value="${FABRIC_API_KEY}" />

Answer 1

Mike from Fabric here. Seva's point should be well noticed - "a sufficiently motivated hacker can eventually get to it, given a debugger and enough time".

If you want, you can place the API key and Build secret in a fabric.properties file. Copy your api key out of your android manifest, and delete the line that reads: <meta-data android:name="com.crashlytics.ApiKey" android:value="YOUR_API_KEY_HERE"/>

Then make a file called fabric.properties and place this folder in the root of the module that applies crashlytics in its' build.gradle In the fabric.properies file, add:apiKey=YOUR_API_KEY_HERE

Once that's complete, refresh your dependencies to pull in the change: ./gradlew clean --refresh-dependencies

Answer 2

Try to save that in strings.xml and refer that here.

Then manifest will only show resource id in int format.

But if you open the strings.xml file it will be retrieved.