How to protect API Key in Android application

Question

I was working on one Android App which was communicating with RESTFull server. We made an API Key which was inserted in header of GET and POST requests. This API Key was stored in Strings. App is no longer used and also server is down.

I found app.apk file and was curious how it is secure, so I decompiled it's source and found API Key there like this. We didn't use ProGuard because we didn't have time.

The queston is how to store API Keys in android applications because this way I can also obtain Google Maps API Key.

Answer 1

So, you're asking if you can store the API Key in the App, but also protect it from being stolen? This is not possible.

There is a possible solution to make theft more difficult. Use OTP XOR encryption so that the API Key is split into two parts that must be combined.

The first part is stored in your application.

The second part is downloaded from your server equipment and then stored in the App-Private data, preferably in such a way that does not make its purpose obvious. Alternatively, you could 'not store' the second part, (keep it in Application Memory or Intent Extras only) but then you'd have to download it from the server every time the app is launched.

Then you can use Progard to make the overall application more difficult to understand.

Of course these only make theft more difficult, and do not actually secure the Key from theft.

If you really need to secure the key, then you'll have to route all requests to the Google Maps API through a Proxy server which you control. That Proxy server can add the API Key to each request as needed.