0

I am using Google cloud translate in my app. I am storing the JSON service API key in the raw folder and getting access with input stream like this below

When I build my release APK and renamed it to relese.zip and extracted and find JSON in a raw folder with all API keys. Some others might do the same and use the API for their apps. How to store a JSON API key in another way.

GoogleCredentials myCredentials = GoogleCredentials.fromStream(is);

Hima Bindhu
  • 1
  • Redesign your authorization strategy. Never distribute service account keys. Use Google OAuth for your clients and service accounts at your backend. – John Hanley Oct 15 '19 at 05:56
  • I am just using simple translation class when someone pastes something in an edit text app will translate that to another language and show in a text view. – Hima Bindhu Oct 15 '19 at 08:46
  • Security is security, if you are just practicing/experimenting you should provide those details in your question. This will prevent experts in security from giving you advice that you don't want. – John Hanley Oct 15 '19 at 17:05

1 Answers1

1

There is two parts in securing the APIs. Server Side and Client Side.

  1. Server Side: You can add your app's package name on the Google Cloud Server and add your development and release hashes to restrict the API only for app with these signatures.

  2. Client Side: This one has no easy answer. 1st of all you must enable proguard, minify and shrink resources to obscure your code. As for securing keys, the best option I've found is to enable NDK and use Native C codes to store the key, which is more painful to break then a simple apk. Take a look at this answer too.

touhid udoy
  • 3,443
  • 2
  • 10
  • 29
  • Restriction by signature fingerprint is less effort and is sufficient to prevent abuse. Using NDK and encryption is rather for non Google API keys... one could also add other keys through Firebase Remote Config. – Martin Zeitler Oct 15 '19 at 05:40
  • @MartinZeitler You can't use firebase remote config to store plain text keys, you must have to encrypt it somehow before using. From the doc(https://firebase.google.com/docs/remote-config/#policies_and_limits) *Don't store confidential data in Remote Config parameter keys or parameter values.* – touhid udoy Oct 15 '19 at 05:51
  • #1 is not possible for service accounts. #2 is a very bad idea. Never distribute service account keys with your app. I can break this method easily. This is reverse engineering 101 stuff. – John Hanley Oct 15 '19 at 05:54
  • @JohnHanley what do you suggest then? – touhid udoy Oct 15 '19 at 07:53
  • 1
    I added my suggestion to the question. This is not an easy question to answer as there are many missing details about the frontend and backend design. – John Hanley Oct 15 '19 at 07:56
  • @Touhidul encrypted keys still are permitted... however, using an own API to keep the key completely out of reach might rather be a server-side solution, suitable for service accounts. – Martin Zeitler Oct 15 '19 at 10:34