0

I am working on project that have api (restful)

I use key in resful and use in app

But if anyone can decompile my app and see api key,so can hack my api

Is there way to protect api key or use api key without storing in app?

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Omid Aghakhani
  • 57
  • 2
  • 11
  • 3
    Does this answer your question? [Best practice for storing and protecting private API keys in applications](https://stackoverflow.com/questions/14570989/best-practice-for-storing-and-protecting-private-api-keys-in-applications) – mike47 Sep 28 '20 at 17:43

2 Answers2

1

Generally Google stores keys into Android Manifest or string.xml (res files). Those two files can be decompiled like any other. I think KeyStore is generally good practice to store private keys, so please take a look at KeyStore class and how to use it.

Also you can find pretty good article on this subject on github

MilanNz
  • 1,323
  • 3
  • 12
  • 29
  • Thanks,I use hash from private sign key for encrypt data and send to api,is it good way? – Omid Aghakhani Jan 21 '18 at 18:40
  • sorry if i didn't get you right, you hash your private key and then send it to server? in that case why there is much batter solutions :) btw using https is always good think. – MilanNz Jan 21 '18 at 18:44
  • No No,i use private sign key sha1 or md5 for api key,is it bad way? i thought that if i use sign hash,hacker cannot hack it :))) – Omid Aghakhani Jan 21 '18 at 18:55
  • No it is ok, as far as you use a satisfactory key length for algorithm that you use. Just maybe use sha1 because md5 is deprecated :) And once more i would suggest you to set https, there is free let's encrypt https provider :) Also you could use RSA if you send only data from phone to server. In that case you would encrypt using server's public key and decrypt with server's private key. – MilanNz Jan 21 '18 at 19:02
1

You cannot fully protect a static API key embedded in the app. Reverse engineering tools can easily extract it but you can make life more difficult and it will be a trade off between how valuable the data on your API is, how much time/effort you want to spend protecting it and how motivated the adversary is.

The keystore is useful for protecting dynamic session keys but not static API ones and is not hardware backed on many low end devices so check your customer base.

! Following is related to a commercial product !

Some key and API protection examples can be found here in addition to those linked to previously.

https://github.com/approov

Barry O'Rourke
  • 11
  • 1