-2

I developed some API for my mobile App. I have some API key for access to this API. As you know, there are no any possible methods to hide the API key. But, what if I will do it with Firebase config? (https://firebase.google.com/docs/remote-config/api-overview)

My idea: do not use default param for remote config. If the app can't fetch and API key from Firebase, then it will not work. Use API key in runtime, without save it to the local storage and the app code.

Somebody tried this? Is this a good idea for save API key?

blood73
  • 29
  • 10
  • Firebase Remote Config is accessible to all users. It should not be used to share secrets. In general: if your API key should remain a secret, never put it in a client-side device. You'll need a server (or something like Cloud Functions) to keep the secret from being discoverable by your users. – Frank van Puffelen Dec 28 '17 at 15:49

2 Answers2

0

You can compile with a mock API key and change with you original API key on runtime using remote config but why though? How about

  • using shared preference with encryption
  • embed your API key in the resource file
  • hiding your API key in the build config
  • obfuscating your API key with proguard
Ege Kuzubasioglu
  • 5,991
  • 12
  • 49
  • 85
  • 1
    Thanks for the answer. Shared preference and resource file are not a good idea, I think. Build config hide the key only from repository, not for decompiler, no? Proguard not a 100% safe – blood73 Dec 28 '17 at 12:55
  • Well no routine is 100% safe but please see Eric Lafortune's answer https://stackoverflow.com/a/14572051/6683139 – Ege Kuzubasioglu Dec 28 '17 at 12:57
0

Hide your API key in the Build Config (:app) file inside the default config like this

 defaultConfig{
              buildConfigField("String", "API_KEY", '"paste your Api Key here"')
}
Amandeep Singh
  • 138
  • 2
  • 4