DEV Community

loading...

Gradle plugin to deeply hide secrets keys on Android

benj69 profile image Benjamin AIMONE ・Updated on ・1 min read

Hello community! We are looking for feedbacks on the gradle plugin we have created : hidden-secrets-gradle-plugin πŸ™

This plugin allows any Android developer to deeply hide secrets in its project. It is an open source equivalent of what DexGuard can offer to prevent credentials harvesting.

It uses a combination of obfuscation techniques to do so :

  • secret is obfuscated using the reversible XOR operator so it never appears in plain sight,
  • obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
  • the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
  • optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add an additional security layer.

This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.

⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.

For all implementation details, please visit the github repository : hidden-secrets-gradle-plugin πŸ˜‡

Discussion (0)

pic
Editor guide