2

I want to hide private information like API key when uploading my project. So I am wondering if there's a way to set environment variable somewhere as I do in command prompt.

For example, I want to hide my API key in google_maps_api.xml

<string name="google_maps_key" templateMergeStrategy="preserve" translatable="false">API_KEY_HERE</string>

How can I do it in Android Studio?

2 Answers2

4

as per the best practices it is recommended to keep all the credentials in gradle.properties like this:

KEYSTORE_PASSWORD=password123
KEY_PASSWORD=password789
GOOGLE_MAP_KEY=API_KEY_HERE

This file is automatically imported by Gradle, so you can use it like:

signingConfigs {
    release {
        try {
            storeFile file("myapp.keystore")
            storePassword KEYSTORE_PASSWORD
            keyAlias "thekey"
            keyPassword KEY_PASSWORD
        }
        catch (ex) {
            throw new InvalidUserDataException("You should define KEYSTORE_PASSWORD and KEY_PASSWORD in gradle.properties.")
        }
    }
}

To use gradle.properties inside a class you can refer this:

android {
    ...
    defaultConfig {
        ...
        // defining the google map key
        buildConfigField "String", "GOOGLE_MAP_KEY", MAP_KEY
    }
}

This will be generated in <package_name>.BuildConfig.java and would contain these fields:

public class BuildConfig {
    // ... other generated fields ...
    public static final String GOOGLE_MAP_KEY = "API_KEY";
}

You can now directly use GOOGLE_MAP_KEY by calling BuildConfig.GOOGLE_MAP_KEY in any class.

In order to keep all your credentials safe do not commit gradle.properties in your version control repositories like Github etc.

Aseem Sharma
  • 1,673
  • 12
  • 19
  • So in my case, I should just write down my API key in `gradle.properties` and replace my key with a variable in `google_maps_api.xml`? –  Oct 04 '18 at 09:21
  • 1
    If you want to use the key in XML then first you need to do the setup like I have shown above of GOOGLE_MAP_KEY in `build.gradle` and after Sync when it will be generated in BuildConfig, then you can access it as other resources like @string/GOOGLE_MAP_KEY – Aseem Sharma Oct 04 '18 at 09:27
  • For more details read this article as well [link](https://medium.com/code-better/hiding-api-keys-from-your-android-repository-b23f5598b906) – Aseem Sharma Oct 04 '18 at 09:32
  • I ended up just adding `google_maps_api.xml` to `gitignore` because the key that Android Studio gave me is referred to like `@string/google_maps_api_key` in `ANdroidMaifest.xml`. But thanks for this tip. It is helpful. –  Oct 04 '18 at 13:29
  • Glad, it helped :) – Aseem Sharma Oct 04 '18 at 13:33
  • please decompiled apk the api key will be visable this is not working – karan May 03 '23 at 07:28
  • Yes agreed, so the solution provided in this answer works for not exposing your secrets from your version control system, but since they are part of your application, they can still be discovered by decompiling your APK, as per my understanding we can restrict the API key through various parameters, so even if it is exposed it won’t be used by anyone. – Aseem Sharma May 04 '23 at 08:11
-2

First, you should make .env file outside of your src folder.

Then, add

REACT_APP_WEATHER_API_KEY=123456

Replace 123456 with your API_KEY

Before commit, you should exclude this .env file so find .gitignore file and add .env.

you can use these env variables like this..

 const API_KEY = process.env.REACT_APP_WEATHER_API_KEY;

Now you're free to go.

Don't forget to add .env in .gitignore file.

for more info see this

amit
  • 709
  • 6
  • 17