In my application I'm storing my token to access a web service in the strings.xml, but now I want to commit it (Github) without the token value.
Asked
Active
Viewed 406 times
0
-
what about saving it to Shared Preferences http://stackoverflow.com/questions/3624280/how-to-use-sharedpreferences-in-android-to-store-fetch-and-edit-values – Charuක Jan 19 '17 at 22:22
-
I'm going to commit the code and I can not figure out a way to use SharedPreferences without exposing my token. – Marcus Becker Jan 19 '17 at 22:43
1 Answers
3
You seem to be focused on the version control issue. If having that token in res/values/strings.xml is working for you, then you can put the token value in gradle.properties (e.g., as WEB_SERVICE_TOKEN), and the generate the corresponding string resource from Gradle using resValue:
android {
defaultConfig {
resValue "string", "whatever_your_string_resource_is_called", WEB_SERVICE_TOKEN
}
}
This will create a string resource named whatever_your_string_resource_is_called, containing the value you gave WEB_SERVICE_TOKEN in gradle.properties. Then, exclude gradle.properties from your version control system (e.g., via .gitignore).
The bigger issue is: should your Web service token actually be in your APK? After all, you are leaking that token to anyone who wants to get it. Depending upon the nature of your app and the nature of this Web service that you are trying to access, you might try alternatives to using a string resource, such as:
Not using the Web service from the app, but rather from your own Web service (e.g., one that the user has to log into)
Using the Web service from the app, but securely downloading the token and storing it on internal storage (so only those who root their devices can get the token)
CommonsWare
- 986,068
- 189
- 2,389
- 2,491
-
Thank you for the answer! I'm using https://www.themoviedb.org token to list the movies. There is no way to use my own web service or download the token. – Marcus Becker Jan 19 '17 at 22:47