Android Question Storing API keys, passwords etc. in a save way

[bluedude]

Hi,

I don't want to use obfuscation but I need to hide API keys, passwords etc. inside the code and I struggle to do so.

I haven't seen a real working solution on this forum for this. Overall I guess we need an asymmetric encryption method with a server side to hand out keys.

Looking through forum posts I think this is a real issue which hasn't been solved yet. More and more apps. talk to API's and backend systems but none of these seem to have a save system to store secret information in the app.

Does anyone have a working solution with for example a PHP server to handout keys on the backend?

Cheers,

 

[Erel]

Why don't you want to use obfuscation?

There isn't any safe way to store passwords inside an app. Encryption will not really help (though it is simple to implement). A hacker can run your program and intercept the server password.

If you do want to implement such a solution then you can use KeyValueStore (PutEncryptedObject) and retrieve the password from the server.

 

[bluedude]

Erel,

Obfuscation is a hassle (and not save either) and don't need to make my code unreadable, it isn't worth the effort. Retrieving password from server? There is no real way to do this safely because to call the server I also need to pass something like an API key to protect my script How to hide that API key if I call the server, same problem all over again because I need to pass it from my Android app.

Some type of public and private key would probably solve the issue.

It think lots of apps. struggle with the same problem.

Any other suggestions?

 

[Erel]

This is a general technology problem. It is not specific to Android apps or Basic4android apps.

You can let the user enter a password.

 

[bluedude]

I wouldn't say general because otherwise I would not ask it here. In most cases this problem occurs between mobile and backends on separate devices (mobile and server).

Let the user enter a password? I think a hacker could also be a user so he would get the same password and thus be able to decrypt for example and API key and see it.

I think in the end the only solution is the use of private and public keys.

Anyway, thanks for your reply.

 

[bluedude]

Just curious, how would you store for example an FTP or API key inside and Android app.? Obfuscation isn't very save and can be reverse engineered.

Doing it with a password does not make sense because the password would be provided in code so readable. Actually, the same password for everyone would be a bad idea too. And having a different password wouldn't work because the encrypted API key needs to decrypt to the same string in the end.

Cheers,

 

[Erel]

I don't see how an asymmetric key will solve this problem. Eventually your app will need some key to decrypt the data. A hacker can follow the steps your app is following and get this key.

Obfuscating the key is a simple method that make sit a bit more difficult to extract the key. In most cases using obfuscation is very simple so the "cost" is minimal.