Android Here Maps set api keys programmatically

Question

I am using Here maps Premium SDK 3.15 and in the documentation, it says to set id, token, and license in the android manifest file. I set id, token, and license in build.gradle as a manifest placeholder and put in Android.manifest like below.

    <!-- Here Maps -->
    <meta-data android:name="com.here.android.maps.appid"
        android:value="${here_map_app_id}"/>
    <meta-data android:name="com.here.android.maps.apptoken"
        android:value="${here_map_app_code}"/>
    <meta-data android:name="com.here.android.maps.license.key"
        android:value="${here_map_licence_key}"/>

My project run into static code analysis and one of the finding is "Hard-Coded Secret Tokens Present in Application Code". It means I keep the here map credentials in build.gradle and it's not ok.

My question is where should I keep these credentials and is there a way setup Here maps SDK programmatically instead of Android. manifest (In case, I do not keep in the project and retrieve from Backend)

No its not possible.However you can use Dexguard see:https://stackoverflow.com/a/46475968/8461344 — Code Demon, Jun 17 '20 at 08:46

Code Demon · Answer 1 · 2020-06-17T08:58:32.190

1

No you cannot programmatically alter the manifest file or resources except by gradle injection. According to Here maps : https://developer.here.com/documentation/android-premium/3.15/dev_guide/topics/credentials.html there is only one way to set the credentials ,however you can take some security measures see https://stackoverflow.com/a/46475968/8461344

edited Jun 17 '20 at 08:58

answered Jun 17 '20 at 08:52

Code Demon

1,256
1
9
15

score 1 · Answer 2 · answered Jan 05 '21 at 14:14

You can use manifest placeholders: https://developer.android.com/studio/build/manifest-build-variables

and then place your keys in env or local.properties like below (build.gradle)

manifestPlaceholders = [
     HERE_SDK_APP_ID     : System.getenv("HERE_SDK_APP_ID") ?: "APP_ID",
     HERE_SDK_APP_TOKEN  : System.getenv("HERE_SDK_APP_TOKEN") ?: "APP_TOKEN",
     HERE_SDK_LICENSE_KEY: System.getenv("HERE_SDK_LICENSE_KEY") ?: "APP_LICENSE",
]

and in AndroidManifest.xml:

<meta-data
    android:name="com.here.android.maps.appid"
    android:value="${HERE_SDK_APP_ID}" />
<meta-data
    android:name="com.here.android.maps.apptoken"
    android:value="${HERE_SDK_APP_TOKEN}" />
<meta-data
     android:name="com.here.android.maps.license.key"
     android:value="${HERE_SDK_LICENSE_KEY}" />

score 0 · Answer 3 · answered Jun 21 '20 at 11:33

I think this has been already answered here Dynamic API KEY for Google Maps on Android

It is clear that google maps don't support dynamic API key insertion.

For any other dynamic API Keys, Where you don't want to hardcode in the project, you can check out Firebase RemoteConfig. Here is the link, https://firebase.google.com/docs/remote-config/use-config-android

Android Here Maps set api keys programmatically

3 Answers3