How to hide API URL and parameters in Android APP?

Question

I'm curious to know that without commercial product for obfuscation, is there any way where I can store API url and parameters safely which cannot be compiled in reverse engineering? I have tried all my apps and their API url and code is easy to read. I'm concerned about security.

@Abhishekkumar no i dint find any proper solution for this, did some more security from API side, and defining urls in buildconfig file — Chirag Joshi, May 31 '20 at 04:34
Did you find any solution? I am looking for the same. I pass confidential token with my API call to a remote server and even after obfuscation, I find it exposed in my .class files. — Aniket Velhankar, Feb 04 '21 at 12:22

score 12 · Answer 1 · edited Jun 20 '20 at 09:12

12

Hide Url in Environmental variables,BuildConfig and Android Studio

One simple way to avoid this bad practice is to store your values inside an environmental variable, so only your machine knows it, then read this values in some way and inject them in your code at build time. Let’s see how to do that using Android Studio, Gradle, and BuildConfig.

First, we need to create these environmental vars. In Linux and Mac, create or edit the file ~/.gradle/gradle.properties (pay attention to the actual Gradle User Home directory position) and add some values:

WEBServiceBaseURL="http://192.168.2.102:2323/"
WEBServiceBaseSMSURL="https://www.example.com/"

Second, in your module’s build.gradle file, add these lines

//Add these lines
def Base_URL = '"' + WEBServiceBaseURL + '"' ?: '"Define BASE URL"';
def SMS_Base_URL = '"' + WEBServiceBaseSMSURL + '"' ?: '"Define SMS BASE URL"';

android.buildTypes.each { type ->
    type.buildConfigField 'String', 'Base_URL', WEBServiceBaseURL
    type.buildConfigField 'String', 'SMS_Base_URL', WEBServiceBaseSMSURL
}

Use in Java File Like

BuildConfig.Base_URL it will return URL String

  public static Retrofit getClient() {
        if (retrofit==null) {
            retrofit =new Retrofit.Builder()
                    .baseUrl(BuildConfig.Base_URL)
                    .addConverterFactory(GsonConverterFactory.create())
                    .build();
        }
        return retrofit;
    }

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 22 '17 at 13:04

Mallikarjuna

874
6
17

6

Can't hide URL with your idea. – Sagar Zala Nov 02 '18 at 09:13
7

easy to find when decompile – Erfan Nov 06 '18 at 07:25
@erfan any other way for same ? – Arbaz.in Mar 25 '19 at 10:44
@Sagar Zala any other way then please share your knowledge – jeet parmar Jun 11 '19 at 06:03
@erfan can you please share the details on how to get the gradle.properties file when we decompile the apk file? – jeet parmar Jun 11 '19 at 06:04
hi @Mallikarjuna, i have just used your code and tested it by decompile my apk, easily showing url, plz share another way if you have. – Basant Jul 03 '19 at 07:04
2

Easily visible after decompiling app – Rohit Suthar Mar 10 '20 at 06:11
This can be extracted very easily after reverse engg. Moving URLs to native code or applying encryption can be done to achieve your goal. – Amir Raza Oct 27 '21 at 19:28
this solution is not working this url is getting visible after apk is Decompiled – karan May 02 '23 at 09:54
i have try this above example but im facing same issue – karan May 02 '23 at 10:34

Touhid · Answer 2 · 2021-07-10T11:18:10.373

6

I found a solution to hide base url to keep api secured with NDK. Keep base64 encoded string inside cpp file and call that from java class and decode base64.

Include c++ (NDK) support to your project. You can include this to your new or old project.

Your cpp file name can be like (native-lib.cpp)

Search online base64 encoder and encode your base url. Now keep encoded string inside cpp file

Inside cpp file sample code is like:

#include <jni.h>
#include <string>

extern "C" JNIEXPORT jstring JNICALL
Java_com_touhidapps_MyProject_utils_MyConstants_baseUrlFromJNI(JNIEnv *env, jobject) {
    std::string mUrl = "aHR0cDovL2FwaS5leGFtcGxlLmNvbS8="; //"http://api.example.com/";
    return env->NewStringUTF(mUrl.c_str());
}

Inside MyConstants.java class: (where I kept all api urls.)

// load c++ library
static {
    System.loadLibrary("native-lib");
}

public static native String baseUrlFromJNI();

// decode base64 to a string and get normal url
public static String getSecureBaseUrl() {
    String mUrl = baseUrlFromJNI();
    try {
        String text = new String(Base64.decode(mUrl, Base64.DEFAULT), "UTF-8");
        return text;
    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    }
    
    mUrl = "http://demo.example.com/"; // don't change this link. This will not execute normally, if exception happens then it will return a demo url.
    return mUrl;
}

Now you can get your original url like below:

public static final String API_BASE = "" + getSecureBaseUrl();

edited Jul 10 '21 at 11:18

answered Feb 26 '19 at 11:15

Touhid

1,556
18
18

is this fulproof solution? – Shivam Sharma Jan 14 '20 at 08:17
1

@ShivamSharma I don't think so. – Xihuny Jul 11 '20 at 19:36
mUrl = "http://demo.example.com/"; this line in Java file, so same thing it can be extracted.' – Ali Ahmed Jun 27 '21 at 10:42
@AliAhmed don't change this link. This will not execute normally, if exception happens then it will return a demo url and will prevent to crash your app. url change inside cpp file. – Touhid Jul 10 '21 at 11:23
not secure please try to decompiled apk i have try i m getting base 64 string after decompilied any buddy can convert that string online this is not secure. – karan May 04 '23 at 07:22
@karan Please let me know how do you decompile c++ library (after compile it is a .so file inside apk). Without decompiling c++ library you will not even get base 64 string. – Touhid May 04 '23 at 11:04
@Touhid it's very simple you need to open .os file in notpad++ and there you will find your BASE api URL just search in notepad file. – karan May 04 '23 at 11:15
@Touhid did you find Url in .os file in notpad++? – karan May 08 '23 at 05:25
@karen no. notepad++ only supports windows. if i get a windows then can test. – Touhid May 08 '23 at 13:03

score 3 · Answer 3 · answered Oct 18 '17 at 18:36

Your question is not ideal for the StackOverflow as the topic is too broad and primarily opinion based. However, I thought I can share some of my thoughts as an answer here.

Hiding API urls with code obfuscation is definitely a good idea and it may work in some cases as well if you want to hide those. You might consider encrypting the API url in your code as well and store the encrypted url in your SharedPreferences or in local storage which needs to be decrypted again each time when you're using your API url to call a web service.

But none of these can't ensure that your API urls are uncrackable. If someone really wants to get your API urls s/he can easily get those by tracking the network that you're using to call the web services.

So encrypting API urls and obfuscating the variable names to hide the API urls will not work in most of the cases as you expected. And yes, I don't see any security breach in getting your API urls either. Because, the API server should be designed in a way that it can block unwanted service calls an attacker is making through an API. You might consider thinking of setting up a firewall in your host machines or can setup a basic authentication protocol which will protect your data. There are a lot of ways to prevent these security breach activities. You might also consider reading this article which I found useful to get a heads-up on how you can protect your APIs to be abused.

Hope that helps.

How to hide API URL and parameters in Android APP?

3 Answers3

Hide Url in Environmental variables,BuildConfig and Android Studio

Linked