Where to store sensitive global information such as API keys in Android application?

Question

I need to store some sensitive information in an Android application. If I put it in a resource file, it appears that it is trivial for another app to be able to browse and

Answer 1

Google has some good recommendations on this under billing. To summarize: use remote server, obfuscate and use secure random nonces. Nothing is safe in your apk as it always can be reverse engineered and obfuscation only works against simple attacks.

Answer 2

if you just want to deny access to your data from other applications, you can use SharedPreferences. Just use Contex.getSharedPreferences(/prefs file name/, Context.MODE_PRIVATE); According to documentation MODE_PRIVATE means that the created file can only be accessed by the calling application (or all applications sharing the same user ID).

Answer 3

Your APK will be retrieved from the device and torn apart anyway. (After all, some devices are rooted.) Whatever you hardcode there, no matter where, will be found and extracted. Of course, if the potential gain substantiates the effort. Otherwise, security by obscurity, such as obfuscation, may be the way to go.

Handling real secrets should be based on some sort of input, notably passwords.

Happily, API keys, if used as they are supposed to, are not necessarily a real secret.