Blog Infos
Author
Published
Topics
Published
Topics

Photo by Oleg Didenko on Unsplash

 

You are using a version control system and your project uses some services that require API keys. Everything is all good and well when it is on your local machine, but you obviously don’t want to share these API keys with the world.

How can we still preserve our API keys within our application, but also hide them when we upload our code to our repository?

We want to be able to still use our API keys in a normal fashion inside our applications, but also not expose them.

That’s where secrets come in. Similar to those that you keep only to yourself, but in a developer kind of way.

Secrets can represent crucial information that is required by your application to operate, but should not be visible to anyone working outside the project. These can be API keys or authorization tokens, but in essence it is any piece of authorization information that should only be used by you and you alone. Similar to how you don’t want to share your password to a website with anyone else.

🚨 Disclaimer: Be aware that the solution provided in this article works for not exposing your secrets from your version control system, but since they are part of your application, they can still be discovered by decompiling your APK. To find out how to do that, here is a good starting point.

Keeping Your Secrets Safe
  1. In your project, you should have a local.properties file under the root directory of your project
  2. To make sure it is ignored by your version control system, open the .gitignore file and see it is found there:

 

Part of .gitignore file

 

3. You will need to import to your project the Secrets Gradle plugin:

3.1. Go to your project’s root build.gradle file and paste in the following line:

 buildscript {
    dependencies {
        id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin' version '2.0.1' apply false
    }
}

 

Job Offers

Job Offers

There are currently no vacancies.

OUR VIDEO RECOMMENDATION

, ,

Hacking and protection of Mobile Apps and backend APIs. Threat modeling exercise.

You should attend this talk if you want to know how mobile apps & APIs are being hacked and what you need to do to protect them. We will explore large-scale attacks targeting backend APIs…
Watch Video

Hacking and protection of Mobile Apps and backend APIs. Threat modeling exercise.

Tomáš Soukal
Security Consultant
Talsec

Hacking and protection of Mobile Apps and backend APIs. Threat modeling exercise.

Tomáš Soukal
Security Consultant
Talsec

Hacking and protection of Mobile Apps and backend APIs. Threat modeling exercise.

Tomáš Soukal
Security Consultant
Talsec

Jobs

3.2. Go to your app’s build.gradle file and paste in the following line:

plugins {
    ...
    id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin'
}

4. Add your API key inside the local.properties file:

local.properties

 

5. You can use your secret inside your AndroidManifest.xml file by adding a meta-data tag inside your application tag:

 <application
        android:allowBackup="true" 
        .....
                                     >
    <activity>
      ....
    </activity>
      <meta-data
            android:name="YOUR_API_KEY_NAME"     /// Choose any value here
            android:value="${API_KEY_NAME}"/>    /// Write the name you gave inside your local.properties file
</application>

6. To access your API key, you can use the PackageManager to get the meta data:

val applicationInfo: ApplicationInfo = application.packageManager
                .getApplicationInfo(application.packageName, PackageManager.GET_META_DATA)
val apiKey = applicationInfo.metaData["YOUR_API_KEY_NAME"]

7. Alternatively, you can also use the BuildConfig object to get it:

BuildConfig.YOUR_API_KEY_NAME

That’s it. Now you can rest easy knowing that your secrets won’t be exposed by your version control system.

Enjoy keeping your secrets ㊙️

I used this on one of my recent projects, and you can see the source code (sans the secrets) here:

This article was originally published on proandroiddev.com on January 15, 2023

YOU MAY BE INTERESTED IN

YOU MAY BE INTERESTED IN

blog
This tutorial is the second part of the series. It’ll be focussed on developing…
READ MORE
blog
We recently faced a problem with our application getting updated and reaching slowly to…
READ MORE
blog
A few weeks ago I started with a simple question — how to work…
READ MORE
blog
One of the main functions of a mobile phone was to store contacts information.…
READ MORE
Menu