3

I am building Android apps using Phonegap. The apps use rest APIs. But I have serious questions regarding the security of the API keys. I have been looking for answers everywhere, but the issue hasn't been answered well. As you know, an android apk can be extracted and the Phonegap folder can be reverse engineered. I have these questions/possible solutions regarding the problem :

  1. Is there a way (maybe plugin) to password protect the "www" folder? So that when someone extracts an apk, there must be a password that is protecting the phonegap files. I extracted many apks and saw this implemented on many Phonegap based apps.
  2. Is there a way to save the API keys in config.xml and read it using JS?
  3. Is there a way to securely authenticate a phonegap app without using login authentications like facebook, google, linkedin or twitter? This is in the case of simple apps that do not require login, but still use those APIs

I have used the Javascript obfuscation. But need a more robust option. Can anyone help out?

Siddharth Mehta
  • 55
  • 5
  • 1
    To be honest reverse engineering for API keys would be as simple as having a network monitor app installed or viewing the logcat on a rooted Android device. – L Balsdon Apr 15 '17 at 11:53

2 Answers2

2

The best way to accomplish this is (if you don't have control over the API). To set up your own server side API That stores your credentials and then use that API to make a request to the other API, then your API can send back the response. Think off it like this.

APP > YOUR API > API > YOUR API > APP

L Balsdon
  • 995
  • 8
  • 12
  • Hi L Balsdon. Thanks for the suggestions. Actually, I am using my own API, that is used to fetch some AI processed content. The algos run on the server. But the API key resides inside the apk (in the obfuscated JS). The app is supposed to be a simple content app that does not require user auth or login. Hence I fear that the API is prone to compromise and anyone who can access the apk, can straight away use the API. – Siddharth Mehta Apr 15 '17 at 12:50
  • I think this is the best way forward. Using your approach make things a lot better. Tried it out. Marking it correct. Thanks :) – Siddharth Mehta Apr 16 '17 at 19:55
  • Thanks and no problem glad I could help. – L Balsdon Apr 16 '17 at 20:26
  • 1
    This is wrong. You hid your API keys but you did not really hide the service behind those keys. Basically, someone can directly access your server and make it proxy requests to the remote API without keys. In this case, he is pretending to be your app. – hammady Dec 10 '18 at 19:47
  • This is not secure because there is nothing stopping anyone to to impersonate your app to request the API key from your server. – gpwr Mar 31 '23 at 05:59
1

I think

https://github.com/tkyaji/cordova-plugin-crypt-file

plugin might help you around. Still it will decrypt the stuff during run time.

This thread also have a similar topic.

How to encrypt the content assets folder in phonegap android application

Hope this helps. :)

Community
  • 1
  • 1
Bhanuka Mahanama
  • 143
  • 5
  • Thanks Rajith :) I think L Balsdon's approach helps out in protecting the API well. marking it correct. Though your answer adds value as well. – Siddharth Mehta Apr 16 '17 at 19:58