How to protect rapidapi secret key in Android apk package

Question

I am in the process of developing Python Kivy Application for Android device. In my application i am using RapidAPI key and host details to connect to API and fetch data which i am further using in my code.

Could you please let me know how i can protect my secret key when i package the application so that it does not get exposed.

Also i would like to know how i can get this secret key dependency removed from my code to make sure whenever i update or regenerate a new key that should not impact the already existing version of application that is published.

headers = {
    'x-rapidapi-host': "xxxrapidapi.com",
    'x-rapidapi-key': "xxx"
    }

Kindly help me suggest if there are any good approaches or best practices that i could.

Answer 1

You have to create your own API, or use some web service, which will expose your API key to your app. This way you can change your key on backend, without having to update your existing application. Therefor you will be able to regenerate the new key and change it in your service. However you have to implement this functionality by yourself, the frequency, how often the secret key would be requested from your backend, depends on you.

You have many options here, if you want to change your key often I recommend you to request for the secret key before each request to your Rapid API, or request it every time during the initialization of your app and store it in shared preferences storage. Using the latter option, the user will have to restart his application, for it to work again, if you regenerate the key, while he is using.