0

How do we secure api keys on rooted device?

As you know we cant trust the client what we can do is make things difficult for the hacker. Following are some of the points which I know to secure keys

  1. Using NDK (store key in your C class and get it in kotlin class on runtime) - Even if device is rooted or decompiled hacker can't access it.
  2. Using Android Key Chain (stores key in the hardware device and without device integrity, certificate, no one can access it. It is stored in a separate place from your application. Not sure what happens if we decompile the app).
  3. Secure Shared Preference. (Even if we encrypt the file, it can still be access on rooted device, one might can figure the decrypt algorithm after check the code)
  4. Secure Shared Preference and Proguard/ Dexguard? (Still not a good idea to store the encrypted key publicly available under app package when device is rooted.)
  5. If we just encrypt the file? (again it will be under app package folder, can be accessed.)

What can be other options?

Ahmad Shahwaiz
  • 1,432
  • 1
  • 17
  • 35
  • _"Using NDK (store key in your C class and get it in kotlin class on runtime) - Even if device is rooted or decompiled hacker can't access it"_. Sure they can. It's just a matter of looking in a different place (your .so files rather than the .dex/.smali files). – Michael Sep 07 '21 at 11:30
  • Regarding options 2 and 3: How are you going to get the API key into those places to begin with? If you're including it in your app for that purpose then you're back to square one. – Michael Sep 07 '21 at 11:35
  • yeah i agree back to square one if im trying to encrypy it. where should we place it then... – Ahmad Shahwaiz Sep 07 '21 at 12:30

1 Answers1

0

Have a look at the Jetpack Security Library where you can encrypt files or shared preferences.

However a good rule of thumb is if you dont want things from your app to be accessed then you should not store them locally

tyczj
  • 71,600
  • 54
  • 194
  • 296
  • if you are going to encrypt we will still pass it as a param and from there it can be read on decompile. – Ahmad Shahwaiz Sep 07 '21 at 12:35
  • I dont understand what you mean by that – tyczj Sep 07 '21 at 12:40
  • i meant, you have the key locally, right now you want to encrypt it. But the point is if you have the key locally then that key is already at risk of being expose (decompile and see code). – Ahmad Shahwaiz Sep 07 '21 at 12:45
  • 1
    If you have the key already compiled in your app then yes of course someone can get to it, nothing can be done about that aside from not including it in your app and getting it at a later point from a server – tyczj Sep 07 '21 at 12:52