6

What is the best place to store API keys, Database encryption keys etc. in the app code so that nobody can get it by decompiling the code ? I used proguard to obfuscate the code but it didn't work on Strings.

MobileAppDeveloper
  • 1,048
  • 2
  • 16
  • 27
  • 2
    This question was [asked already](http://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android) – Dmitriy Apr 10 '16 at 17:16
  • Possible duplicate of [Best Practice for storing private API keys in Android](https://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android) – Suhaib Jun 30 '17 at 13:51

1 Answers1

4

There is no way to store them in the app. The app can be decompiled or executed on a modified device which provides more access to the app's memory, or the app can be modified by the attacker to add additional logging of network or storage/database traffic, etc.

For authenticating to servers, your app should probably obtain auth tokens (or similar) by exchanging user-entered credentials for such auth tokens or by obtaining these auth tokens from AccountManager or similar APIs. You could also use SafetyNet Attest API (https://developer.android.com/training/safetynet/index.html) to attest to your servers that it is your app signed with your signing key which is making the request.

For database encryption, the app could generate a random encryption key on-device, either linked to user-entered credentials or stored in Android Keystore, or simply rely on protections offered by Android to apps. It depends on your threat model (i.e., why do you think you need to encrypt databases?)

Alex Klyubin
  • 5,554
  • 2
  • 29
  • 24
  • How does this prevent a rogue application from impersonating your app when talking to the server? – pete Jul 10 '17 at 17:33
  • Your server could require that all requests (or login requests or similar) contain a SafetyNet attest token/assertion. The server would then verify that (1) the attest token/assertion was indeed issued by Google's SafetyNet Attest infrastructure, and (2) extract package name + signing cert of the app from the token/assertion and check that they match your app. In essence, your server will be trusting that it is very very hard to mislead SafetyNet Attest infrastructure (both client- and server-side). – Alex Klyubin Jul 11 '17 at 17:48