0

After having researched the issue to great length, we have not found a valid solution for our situation.

We have API keys for external SDKs and APIs which we are using in our app.

This link says to bind your key to a signing certificate. This is great if you have your own SDK or API, but for external elements where you have to provide your assigned key as a parameter, this is not an option.

The following link does not apply to our situation. Implementing (secure) Api Keys in an app

In addition, we have spent three days of trying different configurations as well as the ProGuard UI attempting to obfuscate our code using ProGuard without success.

We have also implemented AndroidManifest.xml key references, but they are clearly visible in a generated config.java class. Thus, this is also not a viable solution.

Securing source code is a minor priority. Our main concern is the security of the API keys.

Can anyone provide a possible solution? Is the DexGuard product a real solution when we cannot get ProGuard to work with a simple project?

Benjamin Menrad
  • 898
  • 10
  • 14
  • "Our main concern is the security of the API keys" — security against whom? Are you concerned that Russian mafia will steal your Twitter keys and use those to post snarky comments under your name? If you want to protect against automatic bots, crawling Google Play for plaintext keys, it should be enough to use obscure variable names (no AndroidManifest constants!) and manually encrypting the keys against hardcoded bytestring (probably should not use Base64). If someone decides to manually extract keys, they are most likely going to succeed no matter how much effort you pile up against them – user1643723 Jan 30 '18 at 10:31

2 Answers2

0

You can always use firebase remote config

That way you also can change you key without the need of upgrade

Moshe Edri
  • 244
  • 2
  • 10
0

Firebase Remote Config :

Mentions : Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.

So, it would not be a good mechanism for storage of API keys

V Sridhar
  • 1
  • 1
  • 1