0

I'm creating an Android App which connects to a server through an API. I'm worried about a security issue, as far as I'm concerned, anyone can decompile your .apk and take a look or modify your code.

Knowing that, where do I need to save the API Keys inside the app in order to avoid some bad guy stealing it and access the server, for example, to modify my database?

Thanks

Lopan
  • 483
  • 1
  • 7
  • 20

1 Answers1

1

Understand how an attacker will go after your application, 95% of the time in this order:

  1. Inspect traffic between your application and the server by using an intercepting proxy like Burp -- very easy to do. See how I did it on Words With Friends here (this was for iOS device but same concept works with Android).

  2. You can stop traffic inspection with certificate pinning, but they can break that by rooting the device and using some hacker tools on Android. So you need Android root detection.

  3. The other attack is scanning your binary. You will need to obfuscate it with a tool like DexGuard.

None of these methods are bullet-proof: generally trying to hide secrets in client code is a losing game. Don't put more effort into it than it is worth.

Community
  • 1
  • 1
TheGreatContini
  • 6,429
  • 2
  • 27
  • 37
  • So then, where is the common place to store an API Key to connect to a server? – Lopan Mar 12 '17 at 23:22
  • @Lopan You can hard-code it in the app, but you would need to obfuscate the code, do cert pinning, and detect rooting to have a chance. However, a better design would not depend upon client side secrets, that is a losing game. – TheGreatContini Mar 13 '17 at 02:02
  • Thank you for helping me, Do you know some resources or books of how to properly set up a REST API for an Android app? Sorry if my questions feel dumb to you. – Lopan Mar 13 '17 at 13:20
  • @Lopan, sorry I don't have much. From a security point-of-view, hiding secrets in client code is a losing battle. If your application has users that authenticate, then you can use Oauth 2 (or something simpler, because Oauth can be overkill) to restrict access to resources on the server. Just Googling on this subject, I don't find any great resources but [this one](http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/) and [this one](https://stormpath.com/blog/secure-your-rest-api-right-way) are okay. – TheGreatContini Mar 13 '17 at 20:39
  • Thank you so much for your help, I'll green tick your answer. – Lopan Mar 13 '17 at 21:07