0

In the Android Manifest, rather than setting the android:value to R.string.value, is it possible to reference the string from a static string/native string within a java class? If so, how would I do that?

My purpose for asking is because I wanted to know if there was a way to further secure the app from reverse engineering or hacking by hiding the string "keys" for various libraries in static references.

Steve C.
  • 1,333
  • 3
  • 19
  • 50
  • 1
    no it is not possible – Blackbelt Nov 28 '16 at 11:51
  • @Blackbelt ok thank you – Steve C. Nov 28 '16 at 11:53
  • 1
    Related - http://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android – OneCricketeer Nov 28 '16 at 11:54
  • http://stackoverflow.com/questions/17197636/is-it-possible-to-declare-a-variable-in-gradle-usable-in-java – RDY Nov 28 '16 at 11:56
  • @cricket_007 That works for obfuscating the code itself but other than a paid service, it doesn't provide security of sensitive strings. I'm already using proguard but even with that, the "key" string values for various libraries are still visible with a decompiler. – Steve C. Nov 28 '16 at 11:59
  • @RDY Although that does provide an alternate way to reference strings in the manifest, it is still performing the same task as R.string.value by injecting the string variable into the manifest. – Steve C. Nov 28 '16 at 12:00
  • store and retrive varible gradle.properties – RDY Nov 28 '16 at 12:16

2 Answers2

1

You can do that in build.gradle file, like this:

buildTypes {
    release {
        resValue "string", "key", "[key here]"
    }
    debug {
        resValue "string", "key", "[key here]"
    }
}

And get normally using R.string.key.

fsnasser
  • 203
  • 4
  • 11
0

You can't do it in manifest.xml, but you can add values in the build.gradle file like this: 

debug {
    buildConfigField 'String', 'BASE_API_ENDPOINT', '"https://myapi.api.com/"'
}

release {
    buildConfigField 'String', 'BASE_API_ENDPOINT', '"https://myapi.api.com/"'
}

and then access them by calling BuildConfig.BASE_API_ENDPOINT

Awesome benefit of this is that you can set it on a build-type basis, so that the string can change based on whether it's for development, debugging, or the Play Store.

LukeWaggoner
  • 8,869
  • 1
  • 29
  • 28
  • True. But isn't that still just injecting the string variable into the manifest rather than securing the strings value? – Steve C. Nov 28 '16 at 12:02
  • This isn't the manifest, it's your build.gradle file. When the app is built, this goes into a java file called BuildConfig.java. If the user decompiles the app, they won't get this file in it's entirety like they would with the manifest.xml, so as far as I know it's secure. – LukeWaggoner Nov 28 '16 at 12:05