0

Which of the following is considered safer and why

  1. Saving data (some strings, urls etc) in Asset folder and then reading from it
  2. Saving data in gradle.properties and reading from it
abhishek maharajpet
  • 482
  • 1
  • 4
  • 18
  • How does one read from gradle properties? – blackapps May 22 '23 at 17:15
  • By setting up fields in build.gradle buildConfigField STRING, IV, IV_VALUE – abhishek maharajpet May 23 '23 at 06:49
  • I asked for your Android code to read the values. – blackapps May 23 '23 at 09:26
  • If you are not encrypting assets it is easily recoverable from APK files, the Build.{FIELD} can be recovered same way but need to put additional effort to find it in code(which could be obfuscated) instead of just scanning the resources file. Neither of them should be considered secure(in the "I can sleep safely, my secrets are secure" fashion) but the gradle properties approach is more secure than the assets one. – bmaciejm May 24 '23 at 10:41
  • @bmaciejm Can you please lead me to any docs/references where in "gradle properties approach is more secure than the assets one"? – abhishek maharajpet May 30 '23 at 07:20
  • My statement comes from experience, when you will use the gradle properties approach the build fields will be just inlined in the code(if using R8 https://stackoverflow.com/a/56370696/4153947) so it's more difficult to find it than just plain strings in resources(which are not obfuscated R8/Proguard)which are trivial to extract https://stackoverflow.com/questions/35842663/android-how-to-extract-resources-from-apk-for-one-specific-locale-language. But both approaches are not SAFE by any means, just a little more difficult for an attacker to find(still trivial for the experienced one). – bmaciejm Jun 03 '23 at 20:43
  • Thanks a lot, I do have some clarity now this. – abhishek maharajpet Jun 06 '23 at 12:19

0 Answers0