How to keep your certificates and API Keys secrets on Android 🤫
It could happen that pre-lunch report of your app reports a security issue:
Your app contains exposed Google Cloud Platform (GCP) API keys
We’ll see how to face up the issue, and keep ours API keys and certificates secret.
API Keys
First, we want to solve two main problems:
- Avoid saving our keys on the git repository;
- Avoid exposing them as variable, and be compliant with what Google suggests;
In this case, a possible solution is to use local.properties file, we can save our keys in that file and hide it to git repository, adding into .gitignore. local.properties:
dev.googleApiKey="????????????????????????????????????????"
prod.googleApiKey="????????????????????????????????????????"Now, we have to load the file in build.gradle, supposing to put it in the root file, we can load it with:
def localPropertiesFile = rootProject.file('local.properties')
def localProperties = new Properties()
localProperties.load(new FileInputStream(localPropertiesFile))After loaded, we can apply the Api Keys to our buildTypes or flavors:
