How to hide API keys in Android application?

Nastro picture Nastro · Aug 3, 2019 · Viewed 8.4k times · Source

In my application I use google maps api key to communicate with google. I defined this MAP_KEY in gradle debug/release configuration like this:

debug {
            buildConfigField 'String', 'BASE_URL', '"https://myweb.com"'
            buildConfigField 'String', 'SOCKET_URL', '"https://socket.myweb.com"'
            buildConfigField 'String', 'MAP_KEY', '"azaS****Ds"'
        }

But If someone will download my app from google play store and decompile it he will get my API tokens. Is this true? If yes what is the way to hide api keys in my code?

Answer

M4HdYaR picture M4HdYaR · Aug 3, 2019

Short answer :

Obfuscate or Encrypt your google map API key according to Google Map Documentation :

On mobile apps that use Maps Web Service APIs, consider one or more of the following techniques to further safeguard your apps and API
keys:

  • Apply an API restriction on the API key. This action narrows the scope of the API key to the APIs you associate with the key.
    Obfuscate or encrypt the API key. This action complicates key
    scraping attempts directly from the application.

  • Use CA pinning or certificate pinning to verify the server resources are valid. CA pinning checks that a server's certificate was issued by a trusted certificate authority, and prevents Man-In-The-Middle attacks that could lead to a third party discovering your API key. Certificate pinning goes further by extracting and checking the public key included in the server certificate. Pinning is useful for mobile clients communicating directly with Google servers, as well as mobile clients communicating with the developer's own proxy server.

  • Use a proxy server.

You can use many encryption or obfuscation ways you can find easily with just a quick search, One common way is to base64 encoding the key in C++ as a library and to use it just call a function in your Java class, because C++ codes after compiling is more hard to decompile than your Java classes.

Tutorial of doing it with NDK

Long Answer: IT DEPENDS

You can not do anything in client side to proof your code against decompiling and specially make one hard coded string immune to get extracted.

So what you should do ?

It's a trade-off, at First you should see how much your Key is important for you, Who will try to access it and how much time it worth for him to put on hacking your app. With Encryption or obfuscation we just make it harder, So we need more professional person with more time to hack it(Basically with every layer of security we add to it we are doing that.)

If it's too secret and if It's leak will have cause many problem for you and it's critical you should store it in a server, Then you should request to that server and that server will do API call with your key Or with something like a JWT Token.

But in case of Google Map API as long as you monitor it and configure it correctly, leaking your key will not cause many problems for you.