This question already has answers here:
Best practice for storing and protecting private API keys in applications [closed]
(13 answers)
Closed 2 years ago.
I am working on project that have api (restful)
I use key in resful and use in app
But if anyone can decompile my app and see api key,so can hack my api
Is there way to protect api key or use api key without storing in app?
Generally Google stores keys into Android Manifest or string.xml (res files). Those two files can be decompiled like any other. I think KeyStore is generally good practice to store private keys, so please take a look at KeyStore class and how to use it.
Also you can find pretty good article on this subject on github
You cannot fully protect a static API key embedded in the app. Reverse engineering tools can easily extract it but you can make life more difficult and it will be a trade off between how valuable the data on your API is, how much time/effort you want to spend protecting it and how motivated the adversary is.
The keystore is useful for protecting dynamic session keys but not static API ones and is not hardware backed on many low end devices so check your customer base.
! Following is related to a commercial product !
Some key and API protection examples can be found here in addition to those linked to previously.
https://github.com/approov
Related
I have been doing some security testing on an Android app. One thing I am trying to wrap my head around is API key security; particularly google Places and Maps keys. There are lots of posts that talk about the options, namely compiling keys into source, placing them in resource files, compiling them into a shared library, etc. In my particular case, the Maps key is in the manifest file, and the Places key is in a shared library. I created a signed APK to test how hard it would be to obtain and use one of the keys. I did the following:
Reverse engineered the APK using apktool,
Opened the manifest and grabbed the Maps key,
Created a fake version of the application with the same package structure as the original containing an activity with a google map fragment,
Put the Maps key in the fake manifest,
Ran the application, which displayed the map
Then I:
Created a new class in the fake app with the same package and name as the original with code to load the shared library from /data/data/[package name],
Copied the the shared library from the reverse engineered APK to the /data/data/[package name] folder of the fake app,
Ran the fake app, which then printed out the Locations API key
So in the end, without much effort, I had both keys which I could then use in a fake version of the application.
I'm sure I must be missing something. It looks like the only option for Maps is to store the key in the manifest. What is stopping someone from doing what I did? Surely it can't just be indifference. I realize that someone would probably get caught if they tried to publish their app using a hijacked API key. However, someone could create an app and have people side load it. It would be a huge disruption for customers if the company had to change a hijacked key every time someone messed with it.
I believe you need to go through the Docs for Google API keys again. There seem to have something called restrictions that should be able to help with you ensuring that your Keys are protected and not used on some other application.
I believe that restrictions prevent a request from other domains you have not included from not being able to render.
API Key best practices
There are many way to keep your API key secure. Below links are explained that how to secure your keys.Depending on your use case you can follow one of them
Using Gradle
Using NDK
Using Server Call
This question already has answers here:
Best practice for storing and protecting private API keys in applications [closed]
(13 answers)
Closed 5 years ago.
After having researched the issue to great length, we have not found a valid solution for our situation.
We have API keys for external SDKs and APIs which we are using in our app.
This link says to bind your key to a signing certificate. This is great if you have your own SDK or API, but for external elements where you have to provide your assigned key as a parameter, this is not an option.
The following link does not apply to our situation.
Implementing (secure) Api Keys in an app
In addition, we have spent three days of trying different configurations as well as the ProGuard UI attempting to obfuscate our code using ProGuard without success.
We have also implemented AndroidManifest.xml key references, but they are clearly visible in a generated config.java class. Thus, this is also not a viable solution.
Securing source code is a minor priority. Our main concern is the security of the API keys.
Can anyone provide a possible solution? Is the DexGuard product a real solution when we cannot get ProGuard to work with a simple project?
You can always use firebase remote config
That way you also can change you key without the need of upgrade
Firebase Remote Config :
Mentions :
Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.
So, it would not be a good mechanism for storage of API keys
In my Android app, I make requests to my backend API and add a auth header value so that only my app can access my API data. I'm using OKHttp which makes it simple .addHeader("name", "value")
However, right now I'm simply hardcoding this header name and value in my Java file. It seems that people are able to decompile Android apps and will be able to see my auth header value.
Is there a way I can prevent this from happening?
This is a very discussed topic and it's always a tradeoff.
Some strategies are
Hardcoded in Java
In shared preferences, assets or resources folders
Using the NDK
Public/private API key exchange
Article's conclusion
What option you choose is probably going to be determined by how much control you have over the backend server. If you don’t have any control then you’re probably going to have to hide the API key using the NDK. If you do then we recommend the Public/Private encryption of the API key using nonces to prevent any replay attacks. In the next article we’ll look at the security implications of supporting earlier Android OS versions, as well as how some Android phones are more secure than others.
Subscribe to our Android Developer Newsletter
Join our Android Developers newsletter to get all the top developer news, tips & links once a week in your inbox
Full article
Possible duplicated question/answer
I upload my app which use in app purchases and everybody says be carefull with your lisence key how I can obfuscate it properly? The idea to have it in pieces and join it later in onCreate is not enough? Shall I put pieces of the key in Strings.xml?
The more you distribute key in time and space the harder it would be to replace it. Do not join it at a single place (onCreate) - distribute its pieces through the code. Make it hard to find pieces of your key in code - never store them as is but XORed with some value. It is more a security by obscurity - where and how you store key should be a secret. Use obfuscation.
Remember you protecting license key from replacement. Think how easy (fast) one can change key having sources of your application.
Also, modify source code dealing with a key, so it is unique for your app. For example Google in-app billing comes in sources and it is relatively easy to find one in decompiled sources to hack.
What is the best practice for an organization that will need to sign multiple Android apps?
Do we create one key and use that on all of the Android apps that we build? My initial thought is that this is a good approach.
Or, do we create a new key for each Android app?
Does anyone know how an organization like Google or Rovio handles this issue?
One of my clients uses a different key for each set of related apps. So apps that are usually used together share the same key, but unrelated apps have a different ones. They feel that segregating the keys this way is a good balance between ease of key management and minimizing exposure if a key ever gets disclosed (by a disgruntled employee, etc.).