7

I would like to have your opinion on the best way to hide an API key and secret key.

I found 2 ways :

I know that risk 0 does not exist but what is the most secure solution ?

Thank in advance

Louis
  • 406
  • 6
  • 13
  • the question is who do you want to hide the key from? the first ndk method is useful to make it more difficult to find the key when reverse engineering, the second gradle method is useful to keep your key locally while sharing the source code, it looks to me you're comparing apples and oranges – lelloman Jun 06 '17 at 17:58
  • Yes, i want to make it more difficult when reverse engineering. I thought that the gradle allowed this too. Thank you for your explanation – Louis Jun 06 '17 at 18:09

4 Answers4

5

The NDK seems like your best bet, although not being 100% secure, but it sure is hard to reverse engineer. The gradle way doesn't seem secure at all.

For obfuscation and encryption purposes, you could also take advantage of DexGuard.

jsc
  • 168
  • 1
  • 8
  • Thank for your answer. I will use NDK. I heard about DexGuard, if I'm not mistaken, there is no free version (except proguard) – Louis Jun 06 '17 at 18:51
  • You are welcome. Don't forget to upvote the helpful answers that are given and accept the one that helped you the most as the correct answer. – jsc Jun 07 '17 at 09:18
  • If not ndk then cipher may be used as described in this link to get your job done: https://stackoverflow.com/questions/43629251/how-to-save-oauth-access-token-securely-in-android – Calvin Aug 03 '17 at 09:50
  • 2
    As explained in my answer we have a free Dexguard alternative to hide secret keys in Android : https://github.com/klaxit/hidden-secrets-gradle-plugin – Ben-J Nov 09 '20 at 16:26
  • @Ben-J From what I understand about NDK, it works by generating a .so file. Extracting the .so file from apk is pretty straight forward. So, if another person gets access to the .so file and knows the function name to call, then that person should be able to get access to the secret hidden within the .so file. Please correct me on this, trying to find out a good enough solution for this problem myself. – Shubham Agarwal Jul 22 '22 at 08:05
3

To hide secret keys in an Android app, we have developed a free open source alternative to Dexguard. Our hidden-secrets-gradle-plugin uses the NDK and XOR operator to obfuscate keys to prevent reverse engineering.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

Ben-J
  • 1,084
  • 8
  • 24
0

The best to secure the key is by not putting your keys in app, for that purpose if you are using a server that is highly secure (eg. Amazon Server) then put your keys on server and access them on run time. And also apply public/private encryption on both app and server side.

But if you want to stay with the app then using "NDK" or using "Proguard" both are highly secure mechanisms on app level.

Zohaib Hassan
  • 984
  • 2
  • 7
  • 11
  • Yes, I use a secure server and https. But what I do not understand with this method is that the hacker can make the same request to retrieve the keys. – Louis Jun 06 '17 at 19:29
  • It didn't say just to save api key on server, you have to use "Public/private API key encryption" as well.Check this blog and see the "Public/private API key exchange" section, hope it will clarify: http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/ – Zohaib Hassan Jun 06 '17 at 19:43
  • 1
    I read your article carefully but I still have trouble understanding the interest. If the hacker understands how API works and retrieves the public key (which is stored on the application), it can also use it. After, a key can be linked to a user but basically it offers the same security as the OAuth ? – Louis Jun 07 '17 at 10:28
0

If you are using oAuth to get a token you can setup a server with the client id and client secret on the your server. Your application gets the oAuth token from your server. This way you do not have to put the client id or client secret in your application that the user downloads and runs.

Louie
  • 91
  • 4