We can also Android NDK enviornment where we use c or c++ files, which are directly compiled to binary code. That is the best way to keep any confidential data on client side..
@ViktorYakunin9 ай бұрын
like you want to write to file using C++, how is this even different from java? or maybe you think that hardcoding C++ value and providing interface for java is something really hard? Open that binary file with text editor and you will find your key in 5 seconds
@MarcosValenzuela-j6eАй бұрын
Nice video, but when decompiling the apk you can still get those values from the BuildConfig file
@karentechnologies3990 Жыл бұрын
Just keep appending new videos like this one to your android security playlist.
@PassionforTechnology Жыл бұрын
hey buddy please update this video as kotlin is introduced as buildgradle lang and it's not working thhere
@hdkloh68572 жыл бұрын
Thanks for sharing, It is a common interview question...
@myfavourites63832 жыл бұрын
Hey Mate, Protecting Api keys from server is better option that this since generated build config file will expose all the keys. One more option we have is using CMake
@al1gned2 жыл бұрын
Thank you soo much for this as I was actually looking for something like this like yesterday and see it come from you is really satisfying :))
@sharmpuneet2 жыл бұрын
Thanks for considering my comment and making the video
@augustocera5742 жыл бұрын
Thank you very much Philipp. I have struggled a lot with this issue. Now "we" solved it :P
@clarkkent1473 Жыл бұрын
Additionally one could via smalli, painstakingly attempt to log every variable, function parameters, and return value (similar to strace), and thus attempt to locate api-key-like values by inspecting the output
@ThEGeEeK2 жыл бұрын
What you know I have done !! . The scarry part is that how easy is that !!! .Mailed to the concerned person.
@pixamob84522 жыл бұрын
It's okay to use the application signature as an additional key and check it on the server side to ensure that the request is coming from my application
@PhilippLackner2 жыл бұрын
Exactly
@shlusiak2 жыл бұрын
What stops an attacker to just send the right signature from a modified version of your app? You can't trust the client.
@moustafaelsaghier85522 жыл бұрын
Can you tell me more about this approach please?
@dmitriymorozov2680 Жыл бұрын
I would want to hear that approach too
@AdamArtAnanda Жыл бұрын
If you use a application signature you can reuse that in a replay attack (sending the same signature from an attacker app).
@harwinderbenipal5332 Жыл бұрын
Hi, How do we use this in manifest file?
@ekennechilex23902 жыл бұрын
What about in the case of SSL Pinning. How do you safe secure your certificate public key on the app since the app needs it to authenticate the data
@SurazVerma2 жыл бұрын
Hey Phillip, I've been using this approach for saving the API keys, but in a modular architecture is there a way to pass these values to the specific module (let's say in layered modular architecture in where you set your network config in one of the layers).
@Koki-hq1yc11 ай бұрын
Did you solve this issue. I have same question
@SurazVerma11 ай бұрын
@@Koki-hq1yc unfortunately I couldn’t find any solution yet
@sellychandan5 ай бұрын
Thanks for the video, I have two doubts about how we will handle The project is in CICD and when we are working as a team. in both cases we are not sharing the git ignore
@BillMoteАй бұрын
You can set your keys as environment variables and include them in (almost) the same way as is shown in this video. That keeps them out of source control, works with local builds, but also allows you to set environment variables as configuration options in your CICD solution.
@ubersticks Жыл бұрын
The "buildConfigField" causes an error with newer versions of Gradle and Android Studio: "Build Type contains custom BuildConfig fields, but the feature is disabled". You can fix this by adding android { ... buildFeatures { ... buildConfig = true } }
@LabGecko Жыл бұрын
Just ran into this myself. To be clear for others, that code goes in the App level build.gradle file, listed in Android Studio Giraffe as build.gradle( :app)
@ABCABC-sw8mh8 ай бұрын
why using the api key directly in the code? you can just send a request to your own server that handles the api key and asks the api
@PhilippLackner8 ай бұрын
Because lots of APIs don't work that way. For example the Google maps sdk for Android expects the key to be merged into the manifest. Also you still need to protect the server then, since what would keep an attacker back from making the same request?
@raheemadamboev2 жыл бұрын
Thanks bro, much love❤
@PhilippLackner2 жыл бұрын
Love back!
@moloodayat603911 ай бұрын
Can you make a video about certificate pinning?
@deepakbisht49572 жыл бұрын
I hide my key in native c code as it contains garbage value and it's hard to access key from it. And I just don't put my key as it is... I always break the key in may parts and add some more symbols in it to make it harder after try to extract it from reverse engineered extracted APK...
@hossamqandel56382 жыл бұрын
you don't know how long i waited for this video tutorial is it possible to make a project app to download youtube videos on local or full guied for paging 3?
@haykmkrtchyan70932 жыл бұрын
Great one, I do it in this way too, except I create my own properties file for that api key.
@ahoangnguyen67452 жыл бұрын
I did a research on protecting the API key. with how on results you are very good. However, when the hacker gets your APK file, they will easily decompile the encrypted and get the API key easily. Currently, I find the best solution is to save the API key in a native C++ class or create a secure server that provides the API key
@PhilippLackner2 жыл бұрын
Option 1 can still be decompiled. Any api key can be found if someone really wants it
@GabrielXimenes-r8j8 ай бұрын
Nice video! But made me think about CI, if i'm trying to use github actions and try to run a gradle action such as lintDebug, how would i do that if in the repository doesn't have the api_key explicitly
@aurinkobay7118 Жыл бұрын
hey people does anyone know which import goes into 4:08? Properties properties = new Properties() thnx I get Properties properties = new Properties() 1st Properties has error Classifier 'Properties' does not have a companion object, and thus must be initialized here equal sign has red underline new Properties() - Properties () Properties properties = new Properties() properties.load(project.rootProject.file("local.properties").newDataInputStream()) buildConfigField("String", "ARC_API_KEY", "\"${properties.getProperty("ARCMAP_API_KEY")}\"" load is red -Unresolved reference: load newDataInputStream() - Unresolved reference: newDataInputStream properties.getProperty - getProperty is red underline I am so lost it is not even funny ... thanx!
@naveenshah8032 Жыл бұрын
hey did you solved the error
@BCS_AAMIRASHRAF7 ай бұрын
//protect api key val properties=Properties() properties.load(project.rootProject.file("local.properties").inputStream()) buildConfigField ("String","API_KEY","\"${properties.getProperty("API_KEY")}\"") buildFeatures{ viewBinding=true buildConfig = true } //hope the error got resolved
@hansheng6542 жыл бұрын
Api key shouldn't be used as authentication anyway. They are for authorisation. You should still be authenticated otherwise like oauth and perhaps retrieve the key from server dynamically.
@llothar68 Жыл бұрын
How should this be a difference? Technically it’s the same problem
@manohar_reddy_anugu2 жыл бұрын
Hi it was me who gave the firebase suggestion on stack over flow. Too Sad that it is still the only way .
@andrewdunbar828 Жыл бұрын
Is this using Groovy rather than Kotlin DSL? I'm having trouble following it. - Answer is yes by the way.
@OP-pv6un Жыл бұрын
this using only Groovy (all old videos using Groovy) ,, Kotlin DSL is new 2023
@andrewdunbar828 Жыл бұрын
@@OP-pv6un Ah I only really started Android in 2023 so didn't realize it was so new. Thanks.
@flowzk9212 жыл бұрын
thanks man, using the Jetpack security library do have any tutorial around using it with Datastore
@葛蓉-x6u8 ай бұрын
thanks a lot. Could we save some secret keys in jenkins and got the value from app? if could , could you please help share it, thanks a lot
@divyanathanarul5502 жыл бұрын
Hi Philip. We can use KMS to protect the Api Keys. Please make video on that.
@Naresh-dev-angular-dotnet2 жыл бұрын
good one Phillippuh , make a video series for API integration in android
@MenaSamer2 жыл бұрын
it will be good to add more videos about that topic
@PhilippLackner2 жыл бұрын
What is still unclear?
@MenaSamer2 жыл бұрын
@@PhilippLackner everything is clear for me, I mean more tips about security as you mentioned at the end of the video
@Realmoviesstudios10 ай бұрын
Thank you so much for this, but please how do I protect my web app, Like a WordPress website that I converted into an android app Is it protected as my website is protected? Please help me out, let me know, if I will need to protect the we app separately God bless you
@quantumgaming74 ай бұрын
Hi Phillip you can make updated version of this video with google security plugin
@programmingwithjackchew9032 жыл бұрын
hi Phillip can you do the tutorial regarding login and sign up using jetpack compose and room database thank you very much, I really need this course
@NurAlam-xn6nx3 ай бұрын
No can hide api key in client side as reverse engineers intercepts app traffic using proxy then then can find the api key from the request params
@AndreyPushkarev-k5m Жыл бұрын
be careful if you use multiple module structure. there is need to pay attention - which gradle to update
@mostafaelnagar9002 жыл бұрын
great great great if you could make a video about how to use Cmake to secure Api key it will be good
@alvarorafaelalcobamiranda6256 Жыл бұрын
i love the explication, one fan more :)
@anaslakhani2 жыл бұрын
Hey! I use Firebase Firestore to read The Base URL and API KEY's also how's that ? and with this approach I also change dynamic change things ??
@sumit_soni2 жыл бұрын
Thanks a lot Phillip ❤️💯💯
@DominikSchulzNeristance2 жыл бұрын
One Addition, I think you stated it already in some comments this will just make it harder one that does want to find the key will find it for sure. However, even without decompiling an attacker will in first place just try to use a proxy e.g. Charles proxy maybe and check the requests if you do not use certificate pinning. I like your content but people may take it for the bulletproof solution because they may not listen carefully. And yes for 3rd party Apis its cool if you can have the key on your servers and enforce user authentication as well so no one unwanted may talk to your API 👍
@PhilippLackner2 жыл бұрын
I think I stressed out multiple times that keeping an api key in the app is not 100% safe 🤔
@dmitriymorozov2680 Жыл бұрын
@@PhilippLackner keeping your API keys on the server requires you to have some kind of jwt token to be obtained and stored locally. Isn't that an issue storing it in sharedPrefs, protoStore, sqlite? (Even using encrypted storage)
@dmitriymorozov2680 Жыл бұрын
You still have to store say sqlcipher password somewhere in your compiled app in order to encrypt and decrypt sqlite database. And decompiled app will show this password. Maybe we can obtain jwt+sqlcipher pass on login session and store sclcipher password in encrypted sharedprefs to read/write encrypted sql? As far as I know encrypted sharedPrefs store its keys in OS protected storage
@LabGecko Жыл бұрын
It amazes me that Google has not yet implemented an encrypted storage standard into Android Studio. This issue shouldn't be an us problem if we're using Android Studio to build apps for Google's ecosystem.
@tmjromao2 жыл бұрын
Hello Philipp L. Many thanks for the explanation. Excellent as always. Could you do video explaining how to load data from local JSON file? many thanks
@abhisheks21352 жыл бұрын
Please make a video to secure api keys from NDK.
@dev_jeongdaeri2 жыл бұрын
Thanks!😍
@felipefuenzalida54922 жыл бұрын
yo bro, really thankya. Big respect
@kingrajveer28852 жыл бұрын
Please make one video for firebase rulse for specific app.
@AdamArtAnanda Жыл бұрын
Its good to use API keys only on the server, but if someone is faking a client, then its possible to attack the server with replay attacks. So we need to secure also the communication with the server. And how can we tell the server that we are the original client? We still need an API key for our server?
@PhilippLackner Жыл бұрын
If the server uses it, the client can't abuse it though but only via the API the server exposes. If the server has a rate limit for example the client can't do anything about it since they still don't know the key. And if the server is really strict with incoming params the client can't get more info than a normal logged in user for example
@kishanpmevada2 жыл бұрын
Hello, Thank for the information, I just want to ask you a question, Can we store api key using native code with C++ ?? is that a legal way to put api keys in code ?
@dmytroberezhnyi7172 жыл бұрын
it a is legal way, and I think it is more safe to store it there. But you should not store your API key in native code just like that. Make some magic function that builds your API key, so it is really hard to read the assembler code with some confused logic and get your API key
@huseyintas98552 жыл бұрын
Thank you for this informative video
@rvnareshkumar2 жыл бұрын
Can You do a video on Securing webservices calls
@clarkkent1473 Жыл бұрын
DO NOTE with smali editing, it is possible that someone could invoke Log.v on variables until an api key like value is reported if function chaining is done, eg FUNC(SECURE_GET()); then one could unchain this to see what SECURE_GET returns
@yeyaanshkit2 жыл бұрын
Hi Brother Philipp can you please create a guide video for becoming an Android Developer using Kotlin... Specially for Students in College.. Like where to follow the materiel... Please a New video on this topic will be lit 😊 Please...
@peeranpc42622 жыл бұрын
Yaar you can start with Udacity courses. Trust me, they are free and top notch! I am speaking with experience because I asked the same question last year...
@VikramsinhChampavat Жыл бұрын
Will this approach stop Google Play team to give an error of "Leaked GCP API Keys"?
@haiderali73422 жыл бұрын
Sir Your video Help me Alot in Andorid development Thanks Alot to keep it simple
@grzegorzsamojedny2 жыл бұрын
Cool 😎 Thank you. I like this kind of movies.
@go_better2 жыл бұрын
Helloooo! Little offtopic here. Could you suggest some good, comfy android developers / freelancers community in discord? I'm trying to go that route, but I tend to lose hope while being alone, you know? Thanks for your vids, btw! They're awesome!
@siddheshpalkar39862 жыл бұрын
Nice.. 👍 See if you can make video on hide api keys by using NDK CMake. Would be love to see it.. 😊
@rahulkumar-td7pn2 жыл бұрын
i would rather put my api keys and keystore in my private app center account and access in my gradle file through build.gradle, in this it wont be exposed as plain text, whats ur say?
@AhmedAli-ld6en2 жыл бұрын
philip can you please make a video about paging 3 with rick and morty API and room caching
@diniconightsАй бұрын
I Put everything together as you showed but as soon as i Push the minified APK on github IT revokes my github key, i build a Kind of App Store so i could easily Download newer Versions of my build Apps across my devices and IT pulles the Apps from github. Any Idea what i could Change so IT does Not revoke it? Do i need to make it Serverside?
@mustafaammar5512 жыл бұрын
very cool video thank you BRO 👍👍👍
@taphoavuinhon19962 жыл бұрын
make jni folder and create file C to save the key and then use NDK to load the library, I think this is the best way.
@PhilippLackner2 жыл бұрын
Can still be found by reverse engineering
@sharmpuneet2 жыл бұрын
Decompiling APK won’t work with NDK but hacker can use deassembler and check .so files. NDK is still better than saving in build.gradle. It makes life of a hacker a little difficult
@AmirRaza12 жыл бұрын
Do not put keys in plain string format in jni. Anyone can find .so file and extract that one.
@ayoubdev2 жыл бұрын
is Same if you cerated in Build Type release ?? buildconfigfield
@muhannddh2 жыл бұрын
How about to secure room DB and encryption the record inside the room
@chienlichen65512 жыл бұрын
Thanks bro, is very vedio.
@AjayChoudhary-on3uw2 жыл бұрын
Hi @philip, How about api key for Admob ads or fb ads?
@haykmkrtchyan70932 жыл бұрын
Can I save it in EncryptedSharedPreferences? Or attackers can decrypt that?
@PhilippLackner2 жыл бұрын
How are you going to do that? You'll have a function call somewhere where you save the plain text api key in shared pref and therefore the key will be in memory once.
@haykmkrtchyan70932 жыл бұрын
@@PhilippLackner oh right 😅
@rami84422 жыл бұрын
Hi, Can you create some videos about firebase function with firestore ? Thank you
@PhilippLackner2 жыл бұрын
Did already
@rami84422 жыл бұрын
@@PhilippLackner Sorry i mean "cloud firestore function triggers".
@ahmedmudassir10352 жыл бұрын
what about the team member checks the data of the API file using debug mode? whats the purpose of hiding from team members?
@nitinpatil62355 ай бұрын
insightful
@rogercolque Жыл бұрын
you said that i can get this key with other tools revers engineering? what aabout an API_KEY
@ahmednashwan81112 жыл бұрын
This is so good, thanks a lot, but I think this solution is not the best, the attacker can access the key if he have experience on attacking, I think I have something more secure I wanna share that in next comment, and if that is good or not please discuss me about that, thanks a lot, have a nice day.
@youngtigersivateja2 жыл бұрын
Hey Philipp, thanks for making this video, this might be helpful to secure API Keys to major extent. And Can you also help us secure different API Keys with same Key name for different builds?
@noelgozon24542 жыл бұрын
I am using NDK to secure my keys.
@kamertonaudiophileplayer8472 жыл бұрын
I also used minSdk 21, but Android auto requires 23, so I bumped a little.
@sreeshtyraychoudhury27137 ай бұрын
what if we want to share across other dev
@andrevini8099 Жыл бұрын
Hey guys, I have a doubt, If i put this apiKeys as local files how do you guys send them to github, or CD/CI softwares ?
@PhilippLackner Жыл бұрын
You'll need to create the local.properties file with your API key using a script step before building the project
@Rabbits_Tech Жыл бұрын
If I put my API Key in my server, then my server also has a server token which validates requests from either app or hacker sites. But now the question is, the server token is still in my app !! Hackers can get it and use it to find the actual API key !!
@chirantanbhakhar52419 ай бұрын
Moral: We can only slow down the reverse engineering, Can't completely block third-party access to the API 🙂
@nevardreik2 жыл бұрын
An even easier way of accessing local.properties is: val localProperties = gradleLocalProperties(rootDir) - then you can use localProperties["someKey"] to access its value.
@and702 жыл бұрын
Ty for wasting my time, its not even working.
@nevardreik2 жыл бұрын
@@and70 you’re welcome.
@rameswartarai84522 жыл бұрын
I like your videos. Can you create a video explaining how to prevent our app from rooted devices?
@maskedredstonerproz2 жыл бұрын
Prevent them being installed on rooted devices?? why would you want that??
@valeriyo2 жыл бұрын
Why are you still using Groovy gradle scripts, not Kotlin DSL? 😒
@totktonadafrakc59482 жыл бұрын
Downloading api key through firebase is meanless, as nothing prevents attackers from making app with the same package name and google-services and obtaining keys on launch.
@alexjames15752 жыл бұрын
I need a little help from you sir How can we get to communicate with each other. I need a little help with something.
@shmnysm74812 жыл бұрын
Another solution is store api key inside an encrypted prepopulate local database
@PhilippLackner2 жыл бұрын
How do you want to pre-populate it? At some place in your code you'll have to do that and the API key will be the parameter for that function in clear text.
@shmnysm74812 жыл бұрын
@@PhilippLackner prepopulate a Room database from a prepackaged database file that is located apk assets directory.
@PhilippLackner2 жыл бұрын
@@shmnysm7481 Then the key will be somewhere in your code to decrypt it. Again, you can make it harder of course, but if someone really wants it, they'll find it.
@muyassarabdullah15047 ай бұрын
why in my code Properties not resolved
@khapp78212 жыл бұрын
Please make the sound a little louder.
@MadManiacsam2 жыл бұрын
What if we make a cmake file and put api keys inside that ? Then use .gitignore.
@maskedredstonerproz2 жыл бұрын
how would you use a cmake file??
@peeranpc42622 жыл бұрын
What's the difference between the approach you showed in your dictionary app series and this one?? Please explain a bit. Thank you! ❤️❤️❤️
@PhilippLackner2 жыл бұрын
I don't remember what I did there haha
@peeranpc42622 жыл бұрын
@@PhilippLackner What you did is : In app gradle buildConfig("String", "API_KEY", API_KEY) instead of properties etc Is this the same as new approach??
@AmirRaza12 жыл бұрын
Gradle in not the secure way to put keys. Anyone can find BuildConfig file after reverse engineer and extract that one easily.
@PhilippLackner2 жыл бұрын
Congrats for not fully watching the video
@alexjames15752 жыл бұрын
Hey bro
@danishmehmood5375 Жыл бұрын
not useful, anyone can crack the key and API hit during the call, with network trace.
@hikmetqedirov83372 жыл бұрын
👌👍
@breakeract7962 жыл бұрын
There is no secure by this way :D I think you never reverse app to get API key before :D This way just hide the key from source code, but when you build to apk file...the key must be provide and compress inside apk file :D
@PhilippLackner2 жыл бұрын
Oh, another one who didn't watch the video
@breakeract7962 жыл бұрын
@@PhilippLackner Yes I did. You can easy to retrieve the API key by RE
@ashar93272 жыл бұрын
🌹🤗
@rajeshkanna95022 жыл бұрын
This may sound childish. But wont keeping our own safe word for the variable name "API_KEY" to something like "AWOOGA" make it difficult for them🤣 edit: oh nvm. I just reached the end of video, and already realised the minifyenabled does the job
@PhilippLackner2 жыл бұрын
Just call it ENCRYPTED_API_KEY, they'll think they can't use it and won't even try🌝
@rajeshkanna95022 жыл бұрын
@@PhilippLackner 🤣🤣🤣🤣
@ssEACatt2 жыл бұрын
This one felt a bit like click bait 😅"How to hide and protect" - "you can't", but only said after half the video content