3

How do you guys prefer to hide the API keys you use in your (native) Android apps?

I'm an Android noob and the app I'm building uses some NLP services which are accessed through a key. I searched around and found a few techniques (obfuscation, serverside storage, etc.), just wanted to know what you folks recommend.

Comments
  • 2
    You can't hide them; they can always be intercepted by anyone with a HTTPS packet inspector.

    Your best option would be an API that uses the keys internally.
  • 3
    Build your own api endpoint. Store the API key on the server. Probably the safest.
  • 0
    Always use SSL/TLS aka https with ssl pinning to block newbies intercepting your requests. In addition to that use your API key with time based challenges to re-authenticate and adjust your sessions duration accordingly. All of this increases the security but remember nothing is unbreakable. If someone is determined they will make they’re way through. First you need to asses the risk, define security measures to protect yourself/your users from theft or impersonation etc. Do not over engineer your API is my last advice. And last you can store the key in the device keystore never in the shared preferences. Once you have timebased challenge in addition to using your key it will make reauthenticating with same hash very hard.
  • 0
    You don’t
  • 0
    @IAmAnIssue I, for one, am intercepting the network traffic of my smartphone and make use of some valuable information there.
    But I don't do anything that can be harmful.

    With that being said. You need to find a safer way to handle the API keys. People could use it for bad things.
Add Comment