3

My end goal is to keep safe my API credentials and that cannot be discovered by decompiling the apk.

Currently, my API credentials are hardcoded at buid.gradle(app module) file.

When I decompiled my own apk using this site I can able to find the API url and other credentials.

Now I am looking for a solution and more interested to know how "google-services.json" file is getting parsed. enter image description here

If there is a solution to read **my-cred.json** file under app folder at runtime or compile time (the same directory where **google-services.json** exists), I think I can protect my credentials from decompiling the source( correct me if I am wrong)

Please tell me a way to read **my-cred.json** or any other solution to protect the app credentials

Jolta
  • 2,620
  • 1
  • 29
  • 42
Muhamed Riyas M
  • 5,055
  • 3
  • 30
  • 31
  • A nitpick maybe, but a key piece of terminology: Reverse engineering is not the same thing as decompiling. What you've done is to *decompile* your binary, which Java lets you do easily. Reverse engineering is the art of reconstructing a system by observing only its inputs and outputs, without seeing the source code. – Jolta May 14 '19 at 11:05

3 Answers3

1

In my opinion there is no way to protect this kind of private keys on your Android device. So the solution is simply not to store it on the Android device. But you can store it on an external server. In my case this key is used onyly once per session, to generate a session token. So I simply created a small java app that create the session token from the user id and the api key. That app is hosted on Google App Engine, but any hosting service should do the work. Then your Android app has to invoke this app (servlet) to get a proper token, which is then used to invoke the API.

I know this does not directly answer your question - but it's quite simple to put in place and will avoid your key to be reverse-engineered.

Benoit
  • 5,118
  • 2
  • 24
  • 43
1

This is only a partial answer, but before you get into complex obfuscation methods, I would recommend you to first check for each API how they actually authenticate your app: Most API services today require you to register the certificate of your app to work, so even with your API key, one wouldn't be able to use the quota of your app since one wouldn't have access to the private key used to sign your app.

Pierre
  • 15,865
  • 4
  • 36
  • 50
0

After some research i found out you can't reliably hide an app credential into an android app. Several solutions are being described but none of them is 100% secure , as it is pretty easy to reverse an android app.

You can only obfuscate to make an attacker loose time... Here are some ways to obfuscate your app credentials , but none of them are really secure even the C++/JNI one. https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/.

Only way to have it 100% secure is to set up your own server to hold the credentials and do the login for you, or even requests. I think the best way would be using an OAuth2 authentication process.

It depends on the time you have and your security needs.

oligan
  • 634
  • 6
  • 18