How to safeguard your API Keys in Android projects with GitHub secrets

Jordan Mungujakisa
Make Android
Published in
5 min readJun 18, 2023
Photo by Christopher Gower on Unsplash

Introduction

APIs play a crucial role in the development of various applications. As developers, we often rely on numerous APIs to enhance the functionality and user experience of our projects. However, with the increasing importance of API integration comes the responsibility of securing the associated API keys.

Recently, our team at Remote Squad faced a similar challenge while working on a project that relied heavily on API consumption. Protecting these API keys became a top priority to mitigate potential risks and maintain the integrity of our project. We realized that pushing these keys directly to the GitHub repository was not a viable option, as it could expose sensitive information to unauthorized users.

Financial risks associated with insecure API keys can be detrimental to a project. API keys are often associated with service plans that have usage-based costs. If unauthorized individuals gain access to your API keys, they can exploit them to make requests that you’ll ultimately have to pay for. This can lead to unexpected and significant financial losses for your organization

I would like to share the effective methods we used to protect our API keys. Our approach not only ensured the confidentiality of these keys but also allowed us to seamlessly integrate them into our Continuous Integration/Continuous Deployment (CI/CD) workflows using GitHub Actions. By following the steps outlined in this article, you too can learn how to protect your project’s API keys and maintain data privacy.

Storing API Keys in the local.properties File

To securely store API keys, one effective method is to utilize the local.properties file. This file serves as a secure storage option within your Android project and ensures that sensitive information, such as API keys, is not exposed in your version control system.

By adding the local.properties file to your project’s .gitignore file, you can prevent it from being committed to your repository. This ensures that the API keys remain confidential and are only accessible on the local development environment.

To add API keys to the local.properties file, follow these steps:

  1. Create a new file called local.properties in the root directory of your Android project, if it doesn’t already exist.
  2. Open the local.properties file in a text editor and add the API key using the format KEY_NAME=api_key_value. For example,
YOUTUBE_API_KEY=apikey12345abcdfrt

3. Save the local.properties file.

Retrieving API Keys in the BuildConfig

Once you have stored your API keys in the local.properties file, you can retrieve them from your app’s build.gradle file by following these steps:

  1. Open your app module’s build.gradle(Module:app) file.
  2. Inside the android block, add the following code snippet:
android {
// Other configurations...

defaultConfig {
// Get the API keys from local.properties
Properties properties = new Properties()
properties.load(project.rootProject.file("local.properties").newDataInputStream())

// Set API keys in BuildConfig
buildConfigField "String", "API_KEY_NAME", "\"${properties.getProperty("API_KEY_NAME")}\""
}

// Other configurations...
}

3. Replace API_KEY_NAME with the actual name of your API key.

4. Sync your project to apply the changes.

I usually Clean Project and Rebuild Project to generate the BuildConfig class, otherwise sometimes the BuildConfig class is not regenerated with the new fields from the local.properties files.
By loading the local.properties file and setting the API keys in the BuildConfig, you can access the keys throughout your project using the BuildConfig class.

If you are using the gradle with kotlin dsl, you can access the API in the build.gradle like this

import java.util.Properties

val properties = Properties()
properties.load(project.rootProject.file("local.properties").inputStream())
buildConfigField("String", "API_KEY_NAME", properties.getProperty("API_KEY_NAME"))

You can access the API key from anywhere in your project like this;

private val apiKey = BuildConfig.API_KEY_NAME

Replace API_KEY_NAME with the name of the specific API key you wish to access.

Integrating GitHub Secrets

To further enhance the security of your API keys and other sensitive information in your GitHub repository, it is important to use GitHub Secrets. GitHub Secrets provide a secure and encrypted storage solution within your GitHub repository, ensuring that sensitive data remains protected. By storing your API keys in GitHub Secrets, you prevent them from being exposed in your codebase or accidentally pushed to the repository.

To add the contents of your local.properties file to GitHub Secrets, follow these steps

  1. Go to your GitHub repository and navigate to the Preferences tab.
  2. Click on “Secrets and Variables” in the left sidebar.
  3. Select “Actions”.
  4. Click the ‘New repository secret’ button.
  5. Enter a name for the secret, such as LOCAL_PROPERTIES, and copy the entire contents of the local.properties file into the ‘Value’ field.
  6. Click the Add Secret button to save the secret.

Loading local.properties in GitHub Actions

To use the contents of the local.properties file in your GitHub Actions workflows, you need to load the file into the workflow environment. This allows you to access the API keys stored in the local.properties file without exposing them in your repository.

Navigate to the .github/workflows directory in your repository, or create a new workflow file if it doesn’t exist.

Open the workflow file and add the following step to load the local.properties file:

- name: Get local.properties from secrets
run: echo "${{secrets.LOCAL_PROPERTIES }}" > $GITHUB_WORKSPACE/local.properties

This step retrieves the contents of the LOCAL_PROPERTIES secret from GitHub Secrets and saves it as a local.properties file in the workflow workspace.

Save the workflow file and commit it to your repository.
With these steps, the local.properties file is available for Gradle to create the BuildConfig class for your project to use in the workflow workspace.

By following the steps above, we successfully secured our API keys in our Android project. We achieved this by storing the keys in a separate local.properties file, which we added to the .gitignore file to prevent it from being pushed to the remote GitHub repository. For our CI/CD workflows, we securely stored the local.properties file in the encrypted GitHub secrets, allowing us to access and use the keys in our workflow without compromising their security.

I hope this article has provided you with valuable insights into how to protect and securely use API keys in your Android projects.

Ciao 🤓

If you would like to chat, don't hesitate to reach out to me on twitter @JakisaJordan

--

--

Jordan Mungujakisa
Make Android

Mobile app alchemist who is trying to transmute elegant designs, into elegant code, into beautiful mobile app experiences.