6

I inherited an app that calls services that are protected by an API key that unfortunately is embedded in the app. Obviously, this is not ideal so I am looking to embed the API key within Android Keystore. I have used libraries such as https://github.com/scottyab/secure-preferences in the past on other Android apps but in this case, that security would not pass a security audit.

Reading this: https://medium.com/@ericfu/securely-storing-secrets-in-an-android-application-501f030ae5a3 I get everything but how to get API key in the keystore initially as part of the build. Ideally, I would have the API key returned as part of the login process so it is inserted at runtime but unfortunately, I cannot alter the login service at this time.

I have read numerous posts such as: Best practice for storing and protecting private API keys in applications but most are focusing on keeping your keys out of the source code repository.

So, the ask is: Is there a gradle build mechanism (or any mechanism) that can insert a specific piece of data into the Android Keystore at build time?

Perry Hoekstra
  • 2,687
  • 3
  • 33
  • 52

1 Answers1

9

Is there a gradle build mechanism (or any mechanism) that can insert a specific piece of data into the Android Keystore at build time?

By definition, that is not possible. The AndroidKeyStore is on users' Android devices, not on developer machines. At build time, your app is not on the users' Android devices and cannot do anything with them.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • That is what I thought. So, the only way I can securely store the API key is to include it as part of the login process response and store it in the AndroidKeyStore at runtime. Does that sum it up? – Perry Hoekstra Apr 17 '18 at 23:01
  • @PerryHoekstra: Or, do not call these Web services from your app, but instead from your own server. How practical that is depends on the nature of the Web service and your use of it. You are welcome to use products like DexGuard to try to make it more difficult for attackers to extract an API key packaged in your APK, though "more difficult" != "impossible". Whether your approach (API key in login response) will work depends on how that API key is used. For example, if the API key has to be in the manifest, your approach is not an option. – CommonsWare Apr 17 '18 at 23:05
  • Thanks for the suggestion but I am bound by the services (and their security mechanisms) that currently exists. I had looked at the obfuscation approach documented in the StackOver question I referenced but because it was not full proof, I don't know if it would pass the organization's security auditor. – Perry Hoekstra Apr 17 '18 at 23:09