Android Question Best place to store api keys?

tsteward

Well-Known Member
Licensed User
Longtime User
I am seeking advice on the best and most secure place to store API keys.

Recently, my OpenAI key was deleted because it had apparently been leaked, according to OpenAI.

Realizing that hard coding the key was not a smart idea, I have since moved to storing it in my hosted database and downloading it when my app starts.

This approach seems more flexible, as I can replace the key without needing to release a new app version if it changes again.

My question is: where is the best place to store sensitive information like API keys? Additionally, what other types of data can be stored online without compromising security?

I understand that no solution is perfect, but I want to make it as difficult as possible for the buggers to access this information.
 

Alexander Stolte

Expert
Licensed User
Longtime User
You think this is enough to ensure the token does not get "stolen"?
It's the recommended way from @Erel

Alternative, store the api key inside a image:
 
Upvote 0

Addo

Well-Known Member
Licensed User
Longtime User
Without authentication it can be impossible to protect your encrypted data you may harden the process of fetching those keys but you wont prevent it!

In my opinion store your sensitive encrypted "keys or data" in a backend that you will connect and use later to authenticate who can receive those sensitive information..
 
Upvote 0

Alex_197

Well-Known Member
Licensed User
Longtime User
But what if traffic will be intercepted by the moddle man? I think that the data sent or received should be encrypted by itself even with https.
 
Upvote 0

Addo

Well-Known Member
Licensed User
Longtime User
But what if traffic will be intercepted by the moddle man? I think that the data sent or received should be encrypted by itself even with https.
For sure sniffing is basic expectation during requesting any information through the network!
Whether using ssl or not..the idea ? is to cost the requester subscription fees to get access to this service! Although everything can be handled in the server side without sending the client side any thing or keys but authentication!!

Each request in that case will be handled in the server context and the client will expect only a replay with none sensitive data! Also you can create a log to each request used the sensitive key or token and when you fall in the sensitive data breach you will catch the one who leaked your data through decrypting his requests since you logged already his account information while using this sensitive data!
In the oop case using key to communicate with open Ai for his app clients!

Briefly a thief should break the window or crush the door to get in. which is your server in that case who keep those data needs to be broken or crushed.
 
Last edited:
Upvote 0

hibrid0

Active Member
Licensed User
Longtime User
The best place is in your server side.
Your app=>>your Backend=>>OpenIA.

And you will track the request and limit by hour or day.
Or ban an IP or device by Mac or Android Identifier.
 
Upvote 0

tsteward

Well-Known Member
Licensed User
Longtime User
The best place is in your server side.
Your app=>>your Backend=>>OpenIA.

And you will track the request and limit by hour or day.
Or ban an IP or device by Mac or Android Identifier.
I'd love to see some code on how you are doing this if possible.

So in my app customer types info on a vehicle then presses the AI button which rephrases it for them.
Are you saying I should submit the users input to the server and then return the result instead of doing it on the device?
 
Upvote 0

Addo

Well-Known Member
Licensed User
Longtime User
Use any communication protocol as a server and connect your app client to it..every thing will be running under this server context and your client app will be such a place to receive what ever you like.
 
Upvote 0

MrKim

Well-Known Member
Licensed User
Longtime User
Use an encryption library.
Encrypt the key with a PW.
Store the encrypted key and the PW in your app in different places using misleading names.
Decrypt the key when you run the app.
Not bullet proof but will take someone some time to figure out.
You could also put the encrypted key and the password in external files then load them and unencrypt at run time.
You could also store them in unused tags on some of your layouts.
 
Upvote 0

asales

Expert
Licensed User
Longtime User
I'm starting to use the OpenAI API in my apps, and due this thread (to avoid the same problem), I found this information:
"Never deploy your key in client-side environments like browsers or mobile apps."


So, I think, even you encrypt the key or download from the hosted database and use in your app, you will get a problem.

The recommended way is using a server to connect to OpenAI API and get the response:
"Requests should always be routed through your own backend server where you can keep your API key secure."
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…