2

I have used some third party API keys and my server URL's in my android app. As a known fact any one can easily reverse engineer the APK and may misuse the details.

I knew some ways to keep code secure

progaurd- obfuscation leaves the key strings, URLs untouched.

Keep credentials in native code.

Is there any other way to keep sensitive details like API keys and URLs safe??

Thanks in advance. Welcome for any kind of solutions.

Pushpa
  • 892
  • 1
  • 12
  • 30
  • 1
    best way is to store them on server and retrieve as you need them – raj Nov 25 '15 at 06:16
  • Thanks Raj. But what in case of no server. If I want to keep the data safe in code itself?? – Pushpa Nov 25 '15 at 06:20
  • Check [this](http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/) out. Answers your exact question – makata Nov 25 '15 at 06:34
  • 1
    then keep data in encrypted form so that only your code can decrypt it – raj Nov 25 '15 at 06:56

4 Answers4

3

One possible solution is to encrypt that data in your app and use decryption at runtime when you want to use that data. I also recommend to use progaurd to make the decompiled app hard to read and understand. for example: 

// "the real string is: "mypassword" "; 
//encoded 2 times with an algorithm or you can encode with other algorithms too
public String getClientSecret() {
    return Utils.decode(Utils
            .decode("Ylhsd1lYTnpkMjl5WkE9PQ=="));
}

Decompiled source code of a proguarded app is this: 

 public String c()
 {
    return com.myrpoject.mypackage.g.h.a(com.myrpoject.mypackage.g.h.a("Ylhsd1lYTnpkMjl5WkE9PQ=="));
  }

At least it's complicated enough for me. this is the way I do when I have no choice but store a value in my application. Of course we all know It's not the best way but it works for me.

/**
 * @param input
 * @return decoded string
 */
public static String decode(String input) {
    // Receiving side
    String text = "";
    try {
        byte[] data = Decoder.decode(input);
        text = new String(data, "UTF-8");
        return text;
    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    }
    return "Error";
}

Decompiled version:

 public static String a(String paramString)
  {
    try
    {
      str = new String(a.a(paramString), "UTF-8");
      return str;
    }
    catch (UnsupportedEncodingException localUnsupportedEncodingException)
    {
      while (true)
      {
        localUnsupportedEncodingException.printStackTrace();
        String str = "Error";
      }
    }
  }

and you can find so many encryptor classes with a little search in google.

Milad Faridnia
  • 9,113
  • 13
  • 65
  • 78
  • 1
    I admit I'm using a similar approach, but at best will only slow down a hacker. It's pretty obvious it's encoded in base64 and a hacker can easily decode it. – David P Nov 25 '15 at 07:32
  • 1
    yea I'm totally agree with you. and because of that i mentioned you can use any other algorithm. i have used base 64 algo cause its easy to understand – Milad Faridnia Nov 25 '15 at 07:34
  • 1
    @Chicken however that's a good suggestion. so I edited my answer as well to make it more complicated ;) – Milad Faridnia Nov 25 '15 at 07:38
  • 1
    Ah true, fair enough. But yeah I'm doing the same thing, though still feel uneasy about it. There doesn't seem to be an actual way to guarantee a key is safe in the code :/ – David P Nov 25 '15 at 07:38
  • Of course, You are right :D – Milad Faridnia Nov 25 '15 at 07:39
  • Well, gave you an upvote as it's a better than nothing approach. And you can get creative to make it harder to decode :) – David P Nov 25 '15 at 07:41
  • 1
    Thanks, and I try to make my answer better and better ;) – Milad Faridnia Nov 25 '15 at 07:42
2

This is quite an open ended question and we can discuss as much as we can. All that will boil down to one thing: If you give your product to someone else then he/she can do any grade of reverse engineering. So the best way is to keep it at server and transfer with encryption. If you want to put it in your apk then best bet is to make it hard to read by obfuscating using proguard or dexguard etc.

rockfight
  • 1,916
  • 2
  • 20
  • 31
0

As rockflight said, perhaps it is so. You can try using this

Your (mobile or web) clients should never include the Secret for your Firebase. At some point somebody will reverse-engineer your code, extracts the Secret and with those be able to read/write all data in your Firebase database. The only thing you'll be able to do at that stage is revoke the Secret, which will make all clients fail.

Firebase hosting allows you to store static resources only. So while you can store your API keys on Firebase's hosting servers, it wouldn't help much for security. It will still be readable by everyone.

What you should instead be doing is using regular Firebase authentication in your clients.

Answer link : How can I securely store and retrieve API Keys for an android application (written in native Java) using Firebase Hosting?

Useful Links

https://www.firebase.com/docs/android/guide/user-auth.html

https://github.com/firebase/firebase-login-demo-android

Community
  • 1
  • 1
johnrao07
  • 6,690
  • 4
  • 32
  • 55
-1

I don't know if it's safe enough but you can use keepass and store those there. There are desktop app and mobile app too.

Reino P
  • 11
  • 4