2

I am about to publish an Android app and during development I used some third party services that provided api keys in order to use their services. My question is, should I be concerned about how/where I place the api keys within the app?

I have created a Constants.class for the api keys, app id etc and I reference to the class within the app. I have seen some tutorials on Udacity where api keys were placed in gradle scripts -local,properties file, I havent really understood why and what is the best approach. Is it easy that someone can reverse engineer an app and access confidential information e,g the keys and abuse your account? I am relatively new to programming

Ndheti
  • 266
  • 3
  • 18
  • So Op should keep the keys in Android Manifest then – Tosin Onikute Aug 31 '16 at 00:27
  • Also see [this blog article](https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/). – Code-Apprentice Aug 31 '16 at 00:29
  • @HtmlTosin Nope, that's completely plain text. Can be read with less effort than with a decompiler – OneCricketeer Aug 31 '16 at 00:29
  • The most ideal so far is to store the API key in the backend because you can reset this keys without producing another APK update. Although you need to sacrifice a little bit of your app performance. – Enzokie Aug 31 '16 at 00:32
  • @Enzokie, what if i also need an API key to make request to my Backend for authentication ? Or are you referring to Device Local DB ? – Tosin Onikute Aug 31 '16 at 00:36
  • @HtmlTosin who will give that token? off course your own backend. Similar thing if you build a login form, you'll wait for your backend to give an access token but you do not need to have a service token. – Enzokie Aug 31 '16 at 00:39
  • The purpose of service token/API key is to give the 3rd party to have an access in your own server. If you implement a service token/API key even if you are an owner, thats kinda odd design. – Enzokie Aug 31 '16 at 00:44

0 Answers0