While decompiling my android app APK file, I have found the fabric ApiKey key in manifest file. How to secure Fabric API Key from APK decompilation?
I have done following code changes for hiding Fabric API key from manifest file. But still it is visible after APK decompilation.
I added my fabric API key
FabricAPIKey=0123456789ABCDEF012345123456789ABCDEF012
in gradle.properties.
In build.gradle(Module)
...........
def FABRIC_API_ID = FabricAPIKey
.....
buildTypes {
debug {
..........
manifestPlaceholders = [//this is used for defining the variable for manifest file
FABRIC_API_KEY:FABRIC_API_ID
]
}
release{ ..........
manifestPlaceholders = [//this is used for defining the variable for manifest file
FABRIC_API_KEY:FABRIC_API_ID
]
}
And in AndroidManifest.xml
<meta-data
android:name="io.fabric.ApiKey"
android:value="${FABRIC_API_KEY}" />
Mike from Fabric here. Seva's point should be well noticed - "a sufficiently motivated hacker can eventually get to it, given a debugger and enough time".
If you want, you can place the API key and Build secret in a fabric.properties file. Copy your api key out of your android manifest, and delete the line that reads: <meta-data android:name="com.crashlytics.ApiKey" android:value="YOUR_API_KEY_HERE"/>
Then make a file called fabric.properties and place this folder in the root of the module that applies crashlytics in its' build.gradle In the fabric.properies file, add:apiKey=YOUR_API_KEY_HERE
Once that's complete, refresh your dependencies to pull in the change: ./gradlew clean --refresh-dependencies