Secure your API keys locally like a champ
Many times we want to securely store API keys in our app to make different service calls through it. Here “API keys” I mean youtube key, fabric crashlytics key or Firebase cloud messaging key .
Eg of a Youtube API key: AIzaSyDhEeq_FYAdCzMMSigmMcRwF_nQEhUXS-0
Problems storing API keys in our android app:
- We cannot write these keys in plain Java class. If done it can be easily stolen by reverse engineering the apk.
- Cannot store it in strings.xml file. Even it is vulnerable to reverse engineering.
- Creating a SQLite database to store these keys would be an overkill.
So to tackle these problems. I present you a very simple, clear and effective solution to store these sensitive keys without having the fear of getting it stolen due to reverse engineering.
SecureStore
I use the power of C++(NDK) to write these keys in the C++ files and passing these keys when need to Java classes through the power of JNI.
Reason I use C++ to store these keys is:
- C++ generally compile directly to native machine code.
- C++ is much harder to decompile
Note: This is not a silverbullet to completely avoid hacking and getting the stored keys compromised. But it is very difficult to decompile a C++ code. It will take an experienced hacker(many are just script kiddies in the market) to decompile it. You can read about NDK by going through the below link:
https://developer.android.com/ndk/
Now you have a big question. How can I immediately implement it in my project without wasting much time reading about NDK and understand its core. The answer to your question is:
- Download and setup NDK with your android studio.(Link to download: https://developer.android.com/ndk/downloads/older_releases)
- Copy and paste below three files to the respective directory in your project:
> Check build.gradle of the app module for configuration
Hope you like this sweet and simple article. Appreciate me with a clap if you found it useful.