Search code examples
androidsecurityenvironment-variablesfirebase-security

Secure way of storing Secret credentials


I have an android app, which I want to deploy for commercial use. I am using aws secret credentials, currently I have hardcoded it in the code.

Is there any safe way of deploying the Android app ,by passing credentials as external parameters. Just like what we do in server app, passing credentials as Environment variables.I don't want to have secret keys open in my code base.

I wanted to know if there is any way to do something similar in android app.


Solution

  • I found out the following method to pass creds as Envirnoment Variables to apk while building. These will be stored as build variable.

    In your project directory create a gradle.properties file and add your credentials:

    AWS_CRED=aws_cred
    

    In your gradle build file, under android add the following:

    android {
    defaultConfig{
    manifestPlaceholders=[AWS_CRED:AWS_CRED]
    }
    }
    

    What this does is, it will pass the build variables to your android manifest. Now go to AndroidManifest.xml and under the tag add the following:

    <application
    <meta-data
                android:name="AWS_CRED"
                android:value="${AWS_CRED}" />
    </application>
    

    Now access the value of in any java code, as below:

    applicationInfo = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), PackageManager.GET_META_DATA);
    

    This method worked for me, Please comment if anyone knows a better way to do it.