DEV Community

Benjamin AIMONE
Benjamin AIMONE

Posted on • Edited on

2

Gradle plugin to deeply hide secrets keys on Android

Hello community! We are looking for feedbacks on the gradle plugin we have created : hidden-secrets-gradle-plugin 🙏

This plugin allows any Android developer to deeply hide secrets in its project. It is an open source equivalent of what DexGuard can offer to prevent credentials harvesting.

It uses a combination of obfuscation techniques to do so :

  • secret is obfuscated using the reversible XOR operator so it never appears in plain sight,
  • obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
  • the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
  • optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add an additional security layer.

This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.

⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.

For all implementation details, please visit the github repository : hidden-secrets-gradle-plugin 😇

Sentry blog image

The Visual Studio App Center’s retiring

But sadly….you’re not. See how to make the switch to Sentry for all your crash reporting needs.

Read more

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay