Hello community! We are looking for feedbacks on the gradle plugin we have created : hidden-secrets-gradle-plugin 🙏
This plugin allows any Android developer to deeply hide secrets in its project. It is an open source equivalent of what DexGuard can offer to prevent credentials harvesting.
It uses a combination of obfuscation techniques to do so :
- secret is obfuscated using the reversible XOR operator so it never appears in plain sight,
- obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
- the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
- optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add an additional security layer.
This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.
⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.
For all implementation details, please visit the github repository : hidden-secrets-gradle-plugin 😇