This question already has answers here:
Best practice for storing and protecting private API keys in applications [closed]
(13 answers)
Closed 5 years ago.
After having researched the issue to great length, we have not found a valid solution for our situation.
We have API keys for external SDKs and APIs which we are using in our app.
This link says to bind your key to a signing certificate. This is great if you have your own SDK or API, but for external elements where you have to provide your assigned key as a parameter, this is not an option.
The following link does not apply to our situation.
Implementing (secure) Api Keys in an app
In addition, we have spent three days of trying different configurations as well as the ProGuard UI attempting to obfuscate our code using ProGuard without success.
We have also implemented AndroidManifest.xml key references, but they are clearly visible in a generated config.java class. Thus, this is also not a viable solution.
Securing source code is a minor priority. Our main concern is the security of the API keys.
Can anyone provide a possible solution? Is the DexGuard product a real solution when we cannot get ProGuard to work with a simple project?
You can always use firebase remote config
That way you also can change you key without the need of upgrade
Firebase Remote Config :
Mentions :
Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.
So, it would not be a good mechanism for storage of API keys
Related
This question already has answers here:
Best practice for storing and protecting private API keys in applications [closed]
(13 answers)
Closed 2 years ago.
I am working on project that have api (restful)
I use key in resful and use in app
But if anyone can decompile my app and see api key,so can hack my api
Is there way to protect api key or use api key without storing in app?
Generally Google stores keys into Android Manifest or string.xml (res files). Those two files can be decompiled like any other. I think KeyStore is generally good practice to store private keys, so please take a look at KeyStore class and how to use it.
Also you can find pretty good article on this subject on github
You cannot fully protect a static API key embedded in the app. Reverse engineering tools can easily extract it but you can make life more difficult and it will be a trade off between how valuable the data on your API is, how much time/effort you want to spend protecting it and how motivated the adversary is.
The keystore is useful for protecting dynamic session keys but not static API ones and is not hardware backed on many low end devices so check your customer base.
! Following is related to a commercial product !
Some key and API protection examples can be found here in addition to those linked to previously.
https://github.com/approov
In my Android app, I make requests to my backend API and add a auth header value so that only my app can access my API data. I'm using OKHttp which makes it simple .addHeader("name", "value")
However, right now I'm simply hardcoding this header name and value in my Java file. It seems that people are able to decompile Android apps and will be able to see my auth header value.
Is there a way I can prevent this from happening?
This is a very discussed topic and it's always a tradeoff.
Some strategies are
Hardcoded in Java
In shared preferences, assets or resources folders
Using the NDK
Public/private API key exchange
Article's conclusion
What option you choose is probably going to be determined by how much control you have over the backend server. If you don’t have any control then you’re probably going to have to hide the API key using the NDK. If you do then we recommend the Public/Private encryption of the API key using nonces to prevent any replay attacks. In the next article we’ll look at the security implications of supporting earlier Android OS versions, as well as how some Android phones are more secure than others.
Subscribe to our Android Developer Newsletter
Join our Android Developers newsletter to get all the top developer news, tips & links once a week in your inbox
Full article
Possible duplicated question/answer
I have downloaded an Android App source code from GitHub and converted into an apk file.
Looks like the Developer has used parse backed to store and retrieve data.
Is there a way where those DB authentication details are located so that I can replace with those keys with my keys and use my authentication details.?
Well, according to Parse, the keys are passed to Parse.initialize().
A search of the project shows that the developer, for whatever reason, calls Parse.initialize() in several places. You would have to ask the developer why that is the case.
And, in general, committing keys like this to a public place, like a GitHub repo, is not a particularly good idea. Perhaps it's not a huge issue for Parse — I am not a Parse user, so I do not know the rules regarding their keys.
I am new to Parse SDK. Is it safe to use Application ID and Client Key within the app? as reverse engineering the APK file might reveal the keys. Is there any other workaround to pull them in the Parse.initialize() function.
Like everything else contained in your APK it is only safe if you obfuscate your code. Make sure that you are using ProGaurd when you build your application and have configured it for gradle if you use Android Studio.
If you use ProGuard to obfuscate your code then you wont have to worry about people being able to unpack your APK and retrieve your Parse credentials.
If you want to test that your ProGaurd configuration is correct you can try and unpack your own APK to make sure everything is obfuscated and hidden as expected. This question will show you the process.
This is something that I have always asked myself. In addition to this you could also use a random keygen to connect to random parse database if you were trying to hack data. I tried to find the SO.com post about this but was unable to do so, regardless, I saw someone post that they had their key strings stored in AWS so that they werent in the APK package. In my opinion you shouldn't have to do this but whatever... Parse is pretty sweet when you cut back on development time and their online data portal is nice as well.
The apps we write will soon be enhanced by downloadable "packages" using the in-app purchase API. We would like therefore to start securing our content which we wish to allow the users to download/extract onto their memory card (so as to not use up internal memory for our large applications), however, we need to secure the files somehow so that they can't simply be taken from the SD.
Can anyone suggest some possible/simple/common techniques used to do so on Android?
You'll want to look into ProGuard, it's pretty well integrated with ADT. An easy way to get a good ProGuard config file is to create a new Android project in Eclipse, as the newer versions of ADT automatically make one for you. It is used when you right click the project and use Android Tools>Export
I'd think you'd probably want to generate a hash based on some unique device identifier and a strong key of your choosing. A unique identifier for the device can be generated using the technique discussed in this answer. Have the App transmit that hash to your server, and encrypt the package before (or as) it is sent to the user using this hash as a key. Your app will decrypt the data as it is read by generating the key on demand (the same way it was initially generated). Have a look at the MessageDigest class and the javax.crypto package in the API.