Keeping Your Keys Safe

At some point in your app development career, you’ll create an app that has secrets.  By this I mean there will be keys inside that you want to keep secure from prying eyes.  If someone else gets a hold of your private info, the results could be disastrous (or expensive).

Let’s say your app uses Amazon Web Services and your monthly bill runs about $350 a month. That’s fine because you’re making the money back through app usage.  That is, until a 3^rd party gets a hold of your secret key and decides to use it for their own purposes.  Then when your next bill comes due you find that you’re being charged for $50,000.

Not an exaggeration.  This exact scenario actually happened.  So the lesson is painful but memorable: secrets should be kept secret!  Let’s use this blog to talk about a couple ways people tend to store their keys and what you should avoid.

Avoid pushing keys to github:

I’ll start with what may sound obvious.  That sight that you put all of your code onto so that people can publicly view it?  Yeah, don’t put your secret keys up there.  This sounds obvious, but recent studies have shown thousands upon thousands of keys are available on public git repositories.  It’s possible your using a free service and don’t care, but if you’re being charge even a dollar for the service you’re using, keep it close to your heart.

Storing keys as basic Strings:

DON’T DO THIS!  Storing a key as a simple string is just asking for trouble.  There a couple issues behind this, but first and foremost is that it’s incredibly easy to access.  If you read our primer on reverse engineering apps then you know that it’s possible for 3^rd parties to decompile your app and look at its code in its (almost) original form.  Storing a key as a string means the hacker just has to glance over your code and look for something that looks like a key.  Then it’s theirs and they can do what they want until you change it. 

Defining keys in build.gradle:

This is better than storing your keys as Strings in any old file, but the end result is unfortunately similar.  A lot of people put their keys in build.gradle in such a way that it’s created in the BuildConfig file of your app.  The bright side is your gradle file isn’t decompiled along with the rest of your app, so secrets are safe in there.  The downside?  Well, that BuildConfig class they were just created in isn’t as secure.  Again, our Strings are exposed in a very simple to access way.

Securing keys with Android NDK:

Let me take a second here to say something important: There is no such thing as absolute security.  If you’re going to have a secret in your app, all you can truly do is make it incredibly difficult to find.  Take the proper precautions to keep things safe, and a hacker will have to decide if it’s worth the time/energy to get to whatever is hidden.

With that said, the Android NDK (Native Development Kit) can help us use C and C++ code with Android.  Why would we want to do this?  Well for starters NDK libraries can’t be decompiled, so the information inside is a lot harder to find.  There are ways to access this code all the same, but we won’t go into them here.  It’s not perfect, but this will throw quite a few entry level hackers off your tail.

Make your code complicated:

This one again goes to what I said earlier about complete security.  It won’t happen, but you can make a hacker’s life hell by making your keys as hard to read as possible.  Let’s take a very basic example:  If your key was 123456, instead of storing that, you could make it the sum of the strings “12”, “34”, and “56”.  How you can break this up depends on how creative you can get, but there really isn’t a limit.  It just means more work for you both upfront and down the road to ensure you understand everything your code is doing.

Keeping keys safe is crucial for a large apps success, so you need to take precautions to avoid disaster.  If you have any suggestions for great ways to hide Strings inside your app let us know in the comments below!