Gradle plugin to deeply hide secrets keys on Android

Benjamin AIMONE — Thu, 19 Nov 2020 09:31:56 +0000

Hello community! We are looking for feedbacks on the gradle plugin we have created : hidden-secrets-gradle-plugin 🙏

This plugin allows any Android developer to deeply hide secrets in its project. It is an open source equivalent of what DexGuard can offer to prevent credentials harvesting.

It uses a combination of obfuscation techniques to do so :

secret is obfuscated using the reversible XOR operator so it never appears in plain sight,
obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add an additional security layer.

This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.

⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.

For all implementation details, please visit the github repository : hidden-secrets-gradle-plugin 😇

DEV Community: Benjamin AIMONE

Gradle plugin to deeply hide secrets keys on Android