Store API Keys Securely With CMake and Kotlin

Keep your API keys private and secure using Native C/C++ code.

Image Credits: Codementor Blog

“A good defense is the best offense” someone once said.

Well, that’s partly true in Android when it comes to storing API keys and protecting them against hackers.

You need to keep your API keys private and secure for multiple reasons. If a hacker gains access to your API key, they could:

  • make API calls and which could increase your billing costs tremendously
  • use it to disrupt your users’ data

Before we dive into enhancing the security of your API keys, let’s talk about how most developers are currently storing API keys.

The Traditional Way of Storing API Keys

Storing API keys in strings.xmlis a big no-no. It's definitely not secure — with a little reverse engineering, hackers can easily decrypt the API key if you store it in an XML file in your Android project. Also, more obviously, if your repo is public, your strings.xml file would be too. That means that your API key would also be public.

Storing API keys in gradle.propertiesseems to be the most popular choice. You might have been adding this file to .gitignore, declaring your API key inside, referring to it in the app-level build.gradle file, and using it in your app via the generated BuildConfig class. While better than storing it in XML files, your API key can still be decoded by someone with some reverse engineering, so it isn't a very secure way to store your API keys.

The Better Way: Bringing the Power of CMake to Android

CMake is a software tool that manages the build processes of other software.

I am going to show you how to write a short C++ code to store your API key securely and access the API key from your C++ file.

Native C/C++ code is harder to decompile, so hackers will have a harder time gaining access to your API keys. This has been proven to be more secure than storing it in your gradle.properties file and is definitely something I'd recommend implementing in your app if you're looking to enhance security around your API key storage system.

Step 1: Install the required tools

You’ll need to install three tools in Android Studio via the SDK Manager:

  • NDK (Native Development Kit): a tool that’s used to work with C/C++ code in Android. It also lets you access certain device components, such as sensors, touch input, etc.
  • LLDB (Low Level Debugger): a debugger for native code.
  • CMake: the tool that builds your native C/C++ library.

Step 2: Create a native-lib.cpp file

Create a new folder, cpp, inside app/src/main.

Right-click on the cpp folder, click on New → C/C++ Source File, and name your file native-lib.cpp.

Step 3: Store your API key inside the native-lib.cpp file

Inside your native-lib.cpp, add the following code:

#include <jni.h>
#include <string>
extern "C" JNIEXPORT jstringJNICALL
Java_com_package_name_Keys_apiKey(JNIEnv *env, jobject object) {
std::string api_key = "your_api_key_goes_here";
return env->NewStringUTF(api_key.c_str());
}

Let’s take a closer look at the name of the C++ function Java_com_package_name_Keys_apiKey(...) declared above from right to left:

  • apiKey: this directly refers to the method name that you'll be using in Kotlin later on.
  • Keys: this refers to the Kotlin object in which you want to use your API key, where you'll interact with the C++ coded, and get a reference to your API key (which you can use throughout your app).
  • com_package_name: this refers to the package name corresponding to the Keys Kotlin object here. This should always point to the package of the class where you intend to use it. So, if the package name is com.package.name, the . (periods) are replaced with _ (underscores), and it becomes com_package_name.

Store your API key in the api_key variable in the above C++ function and return it as shown in the code snippet above.

Note: don’t forget to add native-lib.cpp to your .gitignore. You do not want this file to be in your version control! If you don’t know what version control is, check out this tutorial here.

Step 4: Create a CMakeLists.txt file

Under the app/ folder, create a new text file and name it CMakeLists.txt. Add the following code in the file:

To read the rest of the article, click on the following link:

--

--

Bapusaheb Patil

Bapusaheb Patil

Creative Specialist • IDF Certified Designer • Brand Strategist • Storyteller