Android Question API_KEY obfuscation

walterf25

Expert
Licensed User
Longtime User
Hi all, I have been trying to upload an app to the google play store which I haven't done in a very long time, seems like a lot of things have changed.

I am getting an error saying that my GCP key is exposed, I came a few threads in the forum and I have already limited my key to only my app by entering my app ID and hash, now I need to obfuscate the API_KEY variable that holds my firebase api_key, I read somewhere @Erel suggests placing this variable in a Process_Global which I have done but when I look at the ObfuscatorMap.txt file I don't see that variable there, am I missing something?

Or do these variables get obfuscated but I just can't see them, how does this work?

Thanks,
Walter
 

walterf25

Expert
Licensed User
Longtime User
Strings set in Process_Globals are obfuscated. You will not see it in the map file. You can see it by decompiling classes.dex. Note that a determinate hacker will be able to deobfuscate the string quite easily.
What is the best way or best practice in this case to hide the API_KEY?
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
What is the best way or best practice in this case to hide the API_KEY?

I suppose not include it in the app but have it in a server (or some servers) and restrict the key to the IPs of these servers driving the app to make requests to this server or the load balancer of the bunch of servers.
 
Upvote 0

Robert Valentino

Well-Known Member
Licensed User
Longtime User
Maybe I'm way off here but couldn't you encrypt the string and just store the encrypted value and decrypt it in the program

Sure a determined hacker would realize that but the string in its normal form would not be visible??
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…