2

I have hardcoded string (APIkey) in my Java code (APK) but it can be easily decompiled by many tools. I know I can protect by encryption. But what if the hacker decompile my Java and find out the encryption and decryption code? Is there any better way to do that?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Dilip Kumar
  • 51
  • 4
  • My be this question will help you http://stackoverflow.com/questions/30359439/how-can-i-securely-store-and-retrieve-api-keys-for-an-android-application-writt – Sandeep Feb 13 '16 at 09:43

1 Answers1

1

You should add your keys in build.gradle file. These files are not included in your apk. Infact these are just used to sign your application and create a release build. 

signingConfigs {
    release {
      storeFile file("../myapp.jks")
      storePassword "mypassword"
      keyAlias "My_App"
      keyPassword "mykeypassword"
    }
    debug {
      storeFile file('../debug.keystore')
      storePassword 'android'
      keyAlias 'androiddebugkey'
      keyPassword 'android'
    }
  }
  buildTypes {
    release {
      minifyEnabled false
      debuggable false
      proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
      signingConfig signingConfigs.release
    }
    debug{
      debuggable true
      minifyEnabled false
      signingConfig signingConfigs.debug
    }
  }
Damanpreet Singh
  • 726
  • 5
  • 8
  • Hi thanks for the reply. I think this should work but what if he debug the app and find out the data ? – Dilip Kumar Feb 13 '16 at 10:00
  • There is no way to get key and keypassword while debugging. The key and certificate are encrypted and stored in /data/misc/keystore. However, since they have been stored by the system, you don't have the permission to access or decrypt them. Additionally, there is no public API for this. If it helps please upvote and accept the answer :) – Damanpreet Singh Feb 13 '16 at 10:44