Alysson Cirilo
Reputation: 21
Are the repository credentials defined in gradle stored somewhere in the generated APK?
Suppose we have the following repository definition in gradle
repositories {
maven {
url 's3://my-top-secret-repo/releases'
credentials(AwsCredentials) {
accessKey 'MY_TOP_SECRET_ACCESS_KEY'
secretKey 'MY_TOP_SECRET_SECRET_KEY'
}
}
}
My question is, is there some way to someone reverse engineer the generated android APK and discover MY_TOP_SECRET_ACCESS_KEY and MY_TOP_SECRET_SECRET_KEY?
Upvotes: 2
Views: 106
Answers (1)
ChristianB
Reputation: 2690
Gradle build configurations are not stored in an apk. The build tool (in this case Gradle) uses this configuration to fetch the dependencies and build the apk including the .class files from those dependencies.
But you should pay attention when you store passwords in Java/Kotlin files as strings. These can be reversed engineered for sure.
Upvotes: 1
Related Questions
- Where to put Gradle configuration (i.e. credentials) that should not be committed?
- Android - excluding an api key from github, where to store the api key in code?
- Where does Android studio store git passwords?
- Where are the Android Gradle repository URLs defined?
- Gradle plugin to read secret (api-key, password) properties (like buildConfigField from Android plugin)
- Same credentials for all repositories in Gradle
- Repository credentials work if they're hardcoded, but not if they're from gradle.properties
- is keystore information really in the project files?
- Gradle transitive repositories and credentials
- What is the best way to read in gradle repository credentials from a properties file?