Using Gradle for Sensitive Credentials

It obviously goes without saying that you shouldn't store sensitive data such as client id’s or secrets in plain text or commit it as part of a Git or Subversion repository. In actual fact you shouldn't have client secrets in your mobile application anyway since it can compromise the whole authentication process.

So what’s the best process for handling this data?

I had thought about including a separate strings resource XML file and then including this within the .gitignore file so that it wasn't pushed to the repository. But this felt counter-intuitive, and had no facility for change in different deployment scenarios.

I had decided in the end to use the Gradle build files to inject a String resource based upon the build config that currently applied, this way I could specify a different endpoint with different credentials when testing against a staging server.

By using the apply from: parameter in your build.gradle file you can load parameters from an excluded Gradle file containing credentials. Note that this need not be from a locally stored file, but can also be a HTTP Url, allowing you to host a Gradle configuration online and reference it in multiple projects.

In addition to this, Gradle now allows you to use the resValue parameter, which will inject a resource value into your project which will be evaluated at compile time. resValue is available from version 0.8.3 and serves as a suitable replacement to the buildConfigField which can only be accessed in Java using the BuildConfig.

Using the resValue gives you a little bit more flexibility as you can treat it like any other string resource, without any additional logic. However it does mean there can be complications with duplicates, as if it is also in your resources, you’ll get an error when trying to run your project.

Also take into account, that you will need to specify a default configuration fall back, otherwise your Gradle tests will fail!