Geek Answers Handbook

How can I safely store and retrieve API keys for an Android application (written in native Java) using Firebase Hosting?

I'm just starting to learn how to code. Providing example code would be fantastic.

I developed a simple Android application (native Java) using Firebase. I have several API keys hardcoded to my application resources. I read that it is better to store these keys on the server. I don't currently have my own domain or server, but I'm interested in using Firebase Hosting to store these API keys.

I would appreciate help creating the foundation for storing and retrieving these API keys through Firebase Hosting. I am open to other suggestions if they are simple and safe.

Thanks!

+1
firebase firebase-hosting api-key
source share
2 answers

Yours (mobile or web clients) should never include the secret of your Firebase. At some point, someone redesigns your code, extracts the secret code, and with those who can read / write all the data in your Firebase database. The only thing you can do at this point is to undo the secret that will cause all customers to fail.

Firebase hosting allows you to store only static resources. Therefore, while you can store your API keys on Firebase hosting servers, this would not help in security. It will still be available to everyone.

Instead, you should use regular Firebase validation in your clients. This is described in the Firebase manual for authenticating users on Android . A good example of this can be found in the Firebase Login Demo for Android .

+3
source share

You can encrypt API keys and other sensitive data. Here is a great article. The most sensitive thing is the password that will be used to generate the symmetric key. And it is important (yes, the same problem again) that this password is not hardcoded in the code, but in order to calculate it at runtime. One of the good parts for calculating it is APK certificate data ( Get apk signature at runtime for Android ). This is likely to make the work of the reverse engineer a little more complicated. But dynamic analysis will help him / her get the secret key.

The server side calculation method is also very useful here, especially in combination with the previous tip.

Thus, part of the key is generated at runtime, and the other part must be received from the server after successful user authentication. Just an example.

But the easiest way is to use commercial obfuscators that support string / dex-bytecode encryption like DexProtector

NB I am affiliated with Licel (DexProtector developer)

-one
source share

More articles:


All Articles