How to make secure info of my sign app when I want to release my app i don't want to hardcode it. I would like to keep them safe from attacker and reverse engineering
//gradle app file
SigningConfigs {
release {
storeFile file("myreleasekey.keystore")
storePassword "myHardCodePassword"
keyAlias "MyHardCodeReleaseKey"
keyPassword "MyHardCodePassword"
}
}
thank you for your help
On
First of all the signing configs you listed here are defined in Gradle and used during the build process. They are not shipped into the final .apk file.
There is no risk of them being accessed by reverse-engineering or just examining your app because they just simply aren't there.
The risk, however, is in storing it (both the keystore and its password) in your repository. If your source code will be compromised someday then they will be compromised as well.
What you can do is to store keystore and it's password on CI and access it during the build process accessing it in your build.gradle like:
release {
storeFile file("path-to-your-keystore-on-ci")
storePassword System.getenv("your_password_variable")
keyAlias "MyHardCodeReleaseKey"
keyPassword System.getenv("your_key_password_variable")
}
It really boils down to authentication. First of all, congratulations on doing the right thing by externalizing secrets. Hard coding secrets in an application in an attempt to hide them (security by obscurity) only adds seconds to any attack.
Your application runs with some identity, like a service account. If at all possible, only the service account should be able to read the file (
400permission). You'll also have to write the file at least once, but I'll set that aside for now and pretend it's taken care of by your application's deployment.The issue here is who can impersonate your application's identity. Can you run
sudo -u myapp /usr/bin/bash -lfor example? Then you can read the secrets. Storing the secrets in a "vault" (like Hashicorp Vault) is a good idea but it does not solve the authentication problem. You would still need to store the credentials to authenticate to Vault and get the secrets. Encrypting the file locally is no good either, because you would have to secure access to the encryption key with yet another password in a file.You get to pick the file, that's about it. Unless...
Running on a managed platform like a Cloud, or even a self managed Kubernetes, you can use the identity given to your application when it is started by the platform. Authentication is done implicitly because your DevOps pipeline allows that application to run. The platform you are running on will authorize your application to read the secrets it has. It might be a file anymore, so you might have to do a little scripting or extra code in your application.
If you need to bootstrap this process unattended, you might have to ask the user to log in (an open endpoint) and then generate a unique key or credentials they need to access your back end. If you accept they don't log in, then provide them silently with a guest account. But anyone can reverse that protocol and just ask the server for the key.