1

I have an Android application that sends info to a server, but needs each user to have an assigned API key that they use. The apk build is, therefore, universal, but I need to attach a unique config file to the download containing the API key.

  • SharedPreferences (or SecurePreferences) is ok for writing and reading from the app on the device, but not for sending down a pre-configured file?
  • *.properties needs to be compiled with the app?
  • AndroidManifest.xml meta-data, this is just used at build time?

What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?

Adinia
  • 3,603
  • 5
  • 38
  • 56
gregm
  • 307
  • 2
  • 10
  • do your Users need to login to use the app or do they use anonymous the app (except the api key)? – Michael Meyer Mar 21 '17 at 10:05
  • Hi Michael - the app is used anonymously (except for the API key) – gregm Mar 21 '17 at 10:08
  • The manifest approach seemed the most useful until I realised its packaged up in the APK. If there were a way of keeping the APK elements separate and simply on-demand repackaging with a specific manifest then that would work for me. – gregm Mar 21 '17 at 10:14
  • Hmm, ok a *.apk file is actually a Zip file by another name, and manifest.xml is in there, but looks compiled/encoded? – gregm Mar 21 '17 at 10:23
  • You can use Android Keystore, http://stackoverflow.com/questions/27320610/how-can-i-use-the-android-keystore-to-securely-store-arbitrary-strings – Rahul Mar 21 '17 at 10:28
  • Hi Rasi, Using keystore only works if the user goes to the server and fetches an API key, and then of course it can be saved securely in the keystore. What I'm after is that a user downloads an APK from a specific URL and the config file with a unique API Key comes with it. Putting it in the manifest looks close, but I need to recompile the androidmanifest.xml and re-sign the package so that's a bit too messy. – gregm Mar 21 '17 at 10:36
  • Hmm, files in res folder are not compiled, so can I just put something in there? I'm guessing I'll still need to resign the manifest, but it saves having to recompile the androidmanifest.xml – gregm Mar 21 '17 at 11:02

1 Answers1

0

What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?

You should get API key specific to user/app on successful authentication or login, then after you can store retrieved key in your SharedPreference of the application.

Set SharedPreferences mode as private mode so other application can not read/write it.

Ajay S
  • 45,716
  • 27
  • 84
  • 103
  • Hi TGM, There is no user authentication or login, otherwise they could fetch the API Key intended for them as you suggest. The distribution mechanism is that we are business to business, we provide an APK and config file(somehow!) to a business and they distribute it to their employees. We therefore don't know a priori the users for authenticating them and instead want a frictionless download and run installation. – gregm Mar 21 '17 at 10:10
  • Ahh I see. Are you looking to assign unique key to each user ? – Ajay S Mar 21 '17 at 10:12
  • Yes, pretty close - a unique key to each group of users (one key per business customer). – gregm Mar 21 '17 at 10:17
  • I believe this is only solution that you need to compile code and make build with different key for each business customer or you can ask to copy `config` file which is different for each business customer in storage then read it from there. – Ajay S Mar 21 '17 at 10:21