Best practice for storing and protecting private API keys in applications [closed]

by

  1. As it is, your compiled application contains the key strings, but also the constant names APP_KEY and APP_SECRET. Extracting keys from such self-documenting code is trivial, for instance with the standard Android tool dx.

  2. You can apply ProGuard. It will leave the key strings untouched, but it will remove the constant names. It will also rename classes and methods with short, meaningless names, where ever possible. Extracting the keys then takes some more time, for figuring out which string serves which purpose.

    Note that setting up ProGuard shouldn’t be as difficult as you fear. To begin with, you only need to enable ProGuard, as documented in project.properties. If there are any problems with third-party libraries, you may need to suppress some warnings and/or prevent them from being obfuscated, in proguard-project.txt. For instance:

    -dontwarn com.dropbox.**
-keep class com.dropbox.** { *; }

    This is a brute-force approach; you can refine such configuration once the processed application works.

  3. You can obfuscate the strings manually in your code, for instance with a Base64 encoding or preferably with something more complicated; maybe even native code. A hacker will then have to statically reverse-engineer your encoding or dynamically intercept the decoding in the proper place.

  4. You can apply a commercial obfuscator, like ProGuard’s specialized sibling DexGuard. It can additionally encrypt/obfuscate the strings and classes for you. Extracting the keys then takes even more time and expertise.

  5. You might be able to run parts of your application on your own server. If you can keep the keys there, they are safe.

In the end, it’s an economic trade-off that you have to make: how important are the keys, how much time or software can you afford, how sophisticated are the hackers who are interested in the keys, how much time will they want to spend, how much worth is a delay before the keys are hacked, on what scale will any successful hackers distribute the keys, etc. Small pieces of information like keys are more difficult to protect than entire applications. Intrinsically, nothing on the client-side is unbreakable, but you can certainly raise the bar.

(I am the developer of ProGuard and DexGuard)

More Related Contents:

  1. How to avoid reverse engineering of an APK file
  2. DexIndexOverflowException Only When Running Tests
  3. How to remove all debug logging calls before building the release version of an Android app?
  4. Enabling ProGuard in Eclipse for Android
  5. What ProGuard configuration do I need for Firebase on Android?
  6. How to keep/exclude a particular package path when using proguard?
  7. Sniffing/logging your own Android Bluetooth traffic
  8. Removing unused strings during ProGuard optimisation
  9. Compile with Proguard gives SimException: “local variable type mismatch”
  10. One Google Maps key for all developers?
  11. ProGuard: can’t find referenced class com.google.android.gms.R
  12. How to get release build apk file using proguard
  13. Proguard ignores config file of library
  14. proguard Missing type parameter
  15. How to use the ProGuard in Android Studio?
  16. Proguard warnings “can’t write resource [META-INF/MANIFEST.MF] (Duplicate zip entry)”
  17. Mopub ads not showing
  18. Android – How to check Proguard obfuscation has worked?
  19. Android: What are the recommended configurations for Proguard?
  20. How to make Proguard ignore external libraries?
  21. Android/java: Transition / Migration from ProGuard to R8?
  22. Is it possible to use proguard in debug mode?
  23. How to tell ProGuard to keep everything in a particular package?
  24. How to obfuscate an Android library (.jar file) using Proguard in Eclipse
  25. Where does Android Studio save the ProGuard mapping file?
  26. Gradle failed to build when proguard is activated
  27. can’t generate signed APK from Android studio “Execution failed for task ‘:packageRelease'”
  28. How to include a proguard configuration in my Android library (AAR)
  29. How to hide API URL and parameters in Android APP?
  30. Proguard (R8) negate operator not working to keep anything except certain packages

Leave a Comment