We can also Android NDK enviornment where we use c or c++ files, which are directly compiled to binary code. That is the best way to keep any confidential data on client side..

Thank you soo much for this as I was actually looking for something like this like yesterday and see it come from you is really satisfying :))

Thanks for sharing, It is a common interview question...

Just keep appending new videos like this one to your android security playlist.

What you know I have done !! . The scarry part is that how easy is that !!! .Mailed to the concerned person.

why using the api key directly in the code? you can just send a request to your own server that handles the api key and asks the api

Hey Mate, Protecting Api keys from server is better option that this since generated build config file will expose all the keys. One more option we have is using CMake

Thank you very much Philipp. I have struggled a lot with this issue. Now "we" solved it :P

Great one, I do it in this way too, except I create my own properties file for that api key.

Thanks for considering my comment and making the video

One Addition, I think you stated it already in some comments this will just make it harder one that does want to find the key will find it for sure. However, even without decompiling an attacker will in first place just try to use a proxy e.g. Charles proxy maybe and check the requests if you do not use certificate pinning. I like your content but people may take it for the bulletproof solution because they may not listen carefully. And yes for 3rd party Apis its cool if you can have the key on your servers and enforce user authentication as well so no one unwanted may talk to your API 👍

Thanks!😍

hey buddy please update this video as kotlin is introduced as buildgradle lang and it's not working thhere

Additionally one could via smalli, painstakingly attempt to log every variable, function parameters, and return value (similar to strace), and thus attempt to locate api-key-like values by inspecting the output

I did a research on protecting the API key. with how on results you are very good. However, when the hacker gets your APK file, they will easily decompile the encrypted and get the API key easily. Currently, I find the best solution is to save the API key in a native C++ class or create a secure server that provides the API key

Thanks bro, much love❤

Hi it was me who gave the firebase suggestion on stack over flow. Too Sad that it is still the only way .

good one Phillippuh , make a video series for API integration in android

it will be good to add more videos about that topic

An even easier way of accessing local.properties is: val localProperties = gradleLocalProperties(rootDir) - then you can use localProperties["someKey"] to access its value.

Nice video, but when decompiling the apk you can still get those values ​​from the BuildConfig file

Api key shouldn't be used as authentication anyway. They are for authorisation. You should still be authenticated otherwise like oauth and perhaps retrieve the key from server dynamically.

It's okay to use the application signature as an additional key and check it on the server side to ensure that the request is coming from my application

Hello Philipp L. Many thanks for the explanation. Excellent as always. Could you do video explaining how to load data from local JSON file? many thanks

Is this using Groovy rather than Kotlin DSL? I'm having trouble following it. - Answer is yes by the way.

The "buildConfigField" causes an error with newer versions of Gradle and Android Studio: "Build Type contains custom BuildConfig fields, but the feature is disabled". You can fix this by adding android { ... buildFeatures { ... buildConfig = true } }

DO NOTE with smali editing, it is possible that someone could invoke Log.v on variables until an api key like value is reported if function chaining is done, eg FUNC(SECURE_GET()); then one could unchain this to see what SECURE_GET returns

Thanks for the video, I have two doubts about how we will handle The project is in CICD and when we are working as a team. in both cases we are not sharing the git ignore

Hi Phillip you can make updated version of this video with google security plugin

Hi Brother Philipp can you please create a guide video for becoming an Android Developer using Kotlin... Specially for Students in College.. Like where to follow the materiel... Please a New video on this topic will be lit 😊 Please...

Thanks a lot Phillip ❤️💯💯

Can you make a video about certificate pinning?

be careful if you use multiple module structure. there is need to pay attention - which gradle to update

Hey Phillip, I've been using this approach for saving the API keys, but in a modular architecture is there a way to pass these values to the specific module (let's say in layered modular architecture in where you set your network config in one of the layers).

Thank you so much for this, but please how do I protect my web app, Like a WordPress website that I converted into an android app Is it protected as my website is protected? Please help me out, let me know, if I will need to protect the we app separately God bless you

Nice.. 👍 See if you can make video on hide api keys by using NDK CMake. Would be love to see it.. 😊

Hi, How do we use this in manifest file?

Please make a video to secure api keys from NDK.

you don't know how long i waited for this video tutorial is it possible to make a project app to download youtube videos on local or full guied for paging 3?

I hide my key in native c code as it contains garbage value and it's hard to access key from it. And I just don't put my key as it is... I always break the key in may parts and add some more symbols in it to make it harder after try to extract it from reverse engineered extracted APK...

make jni folder and create file C to save the key and then use NDK to load the library, I think this is the best way.

Sir Your video Help me Alot in Andorid development Thanks Alot to keep it simple

great great great if you could make a video about how to use Cmake to secure Api key it will be good

Moral: We can only slow down the reverse engineering, Can't completely block third-party access to the API 🙂

Hi Philip. We can use KMS to protect the Api Keys. Please make video on that.

i love the explication, one fan more :)

Hey Philipp, thanks for making this video, this might be helpful to secure API Keys to major extent. And Can you also help us secure different API Keys with same Key name for different builds?

What about in the case of SSL Pinning. How do you safe secure your certificate public key on the app since the app needs it to authenticate the data

Helloooo! Little offtopic here. Could you suggest some good, comfy android developers / freelancers community in discord? I'm trying to go that route, but I tend to lose hope while being alone, you know? Thanks for your vids, btw! They're awesome!

hey people does anyone know which import goes into 4:08? Properties properties = new Properties() thnx I get Properties properties = new Properties() 1st Properties has error Classifier 'Properties' does not have a companion object, and thus must be initialized here equal sign has red underline new Properties() - Properties () Properties properties = new Properties() properties.load(project.rootProject.file("local.properties").newDataInputStream()) buildConfigField("String", "ARC_API_KEY", "\"${properties.getProperty("ARCMAP_API_KEY")}\"" load is red -Unresolved reference: load newDataInputStream() - Unresolved reference: newDataInputStream properties.getProperty - getProperty is red underline I am so lost it is not even funny ... thanx!

insightful

Nice video! But made me think about CI, if i'm trying to use github actions and try to run a gradle action such as lintDebug, how would i do that if in the repository doesn't have the api_key explicitly

yo bro, really thankya. Big respect

I Put everything together as you showed but as soon as i Push the minified APK on github IT revokes my github key, i build a Kind of App Store so i could easily Download newer Versions of my build Apps across my devices and IT pulles the Apps from github. Any Idea what i could Change so IT does Not revoke it? Do i need to make it Serverside?

hi Phillip can you do the tutorial regarding login and sign up using jetpack compose and room database thank you very much, I really need this course

Thank you for this informative video

thanks a lot. Could we save some secret keys in jenkins and got the value from app? if could , could you please help share it, thanks a lot

I like your videos. Can you create a video explaining how to prevent our app from rooted devices?

Its good to use API keys only on the server, but if someone is faking a client, then its possible to attack the server with replay attacks. So we need to secure also the communication with the server. And how can we tell the server that we are the original client? We still need an API key for our server?

Can You do a video on Securing webservices calls

Hey! I use Firebase Firestore to read The Base URL and API KEY's also how's that ? and with this approach I also change dynamic change things ??

thanks man, using the Jetpack security library do have any tutorial around using it with Datastore

Cool 😎 Thank you. I like this kind of movies.

philip can you please make a video about paging 3 with rick and morty API and room caching

very cool video thank you BRO 👍👍👍

Please make one video for firebase rulse for specific app.

Thanks bro, is very vedio.

No can hide api key in client side as reverse engineers intercepts app traffic using proxy then then can find the api key from the request params

Will this approach stop Google Play team to give an error of "Leaked GCP API Keys"?

Hello, Thank for the information, I just want to ask you a question, Can we store api key using native code with C++ ?? is that a legal way to put api keys in code ?

If I put my API Key in my server, then my server also has a server token which validates requests from either app or hacker sites. But now the question is, the server token is still in my app !! Hackers can get it and use it to find the actual API key !!

i would rather put my api keys and keystore in my private app center account and access in my gradle file through build.gradle, in this it wont be exposed as plain text, whats ur say?

Another solution is store api key inside an encrypted prepopulate local database

Why are you still using Groovy gradle scripts, not Kotlin DSL? 😒

Hey guys, I have a doubt, If i put this apiKeys as local files how do you guys send them to github, or CD/CI softwares ?

This is so good, thanks a lot, but I think this solution is not the best, the attacker can access the key if he have experience on attacking, I think I have something more secure I wanna share that in next comment, and if that is good or not please discuss me about that, thanks a lot, have a nice day.

Can I save it in EncryptedSharedPreferences? Or attackers can decrypt that?

is Same if you cerated in Build Type release ?? buildconfigfield

you said that i can get this key with other tools revers engineering? what aabout an API_KEY

why in my code Properties not resolved

Hi @philip, How about api key for Admob ads or fb ads?

what if we want to share across other dev

I am using NDK to secure my keys.

what about the team member checks the data of the API file using debug mode? whats the purpose of hiding from team members?

Hi, Can you create some videos about firebase function with firestore ? Thank you

I also used minSdk 21, but Android auto requires 23, so I bumped a little.

How about to secure room DB and encryption the record inside the room

Downloading api key through firebase is meanless, as nothing prevents attackers from making app with the same package name and google-services and obtaining keys on launch.

I need a little help from you sir How can we get to communicate with each other. I need a little help with something.

Please make the sound a little louder.

What's the difference between the approach you showed in your dictionary app series and this one?? Please explain a bit. Thank you! ❤️❤️❤️

👌👍

What if we make a cmake file and put api keys inside that ? Then use .gitignore.

Gradle in not the secure way to put keys. Anyone can find BuildConfig file after reverse engineer and extract that one easily.

Hey bro

🌹🤗

not useful, anyone can crack the key and API hit during the call, with network trace.

There is no secure by this way :D I think you never reverse app to get API key before :D This way just hide the key from source code, but when you build to apk file...the key must be provide and compress inside apk file :D

This one felt a bit like click bait 😅"How to hide and protect" - "you can't", but only said after half the video content

This may sound childish. But wont keeping our own safe word for the variable name "API_KEY" to something like "AWOOGA" make it difficult for them🤣 edit: oh nvm. I just reached the end of video, and already realised the minifyenabled does the job