I’m building a mobile app using Python Kivy that will run on Android phones. My app needs to connect to external APIs and I’m worried about keeping my API credentials safe.
Right now I have my API details hardcoded like this:
I’m concerned that when I build the APK file, someone might be able to extract these sensitive details. I also want to be able to update my API keys later without having to push new app versions to users.
What are some good ways to handle this? I’ve heard about using environment variables or remote config but I’m not sure how to implement these properly in a Kivy Android app. Any suggestions for secure approaches would be really helpful.
Firebase Remote Config works perfectly for this. Store your API credentials on Firebase’s servers and fetch them at startup. Since the credentials aren’t in your APK, reverse engineering becomes way harder. I set up a fallback that caches the last credentials locally for offline startups. Best part? Instant updates. Change your API keys in Firebase console and all active apps grab the new values within hours - no app store updates needed. Setup’s easy with their Python SDK, and you can target different user segments with different credentials if needed. Free tier handles most small/medium apps just fine.
Honestly, just use environment variables with buildozer. Create a .env file locally and load it during dev, then set the vars in your CI/CD pipeline or hosting platform for production builds. Keeps secrets out of your code completely and works great with Kivy Android builds.
Here’s what worked for me - I used a hybrid approach with encrypted storage plus secure initialization. Don’t hardcode credentials. Instead, store them in an encrypted local file using Python’s cryptography library with a key derived from device-specific info. When the app starts up, it decrypts and loads the credentials into memory. For remote updates, I built a simple endpoint that serves encrypted config updates. The app fetches and decrypts them locally. You avoid hardcoding sensitive data but can still update credentials remotely. Just make sure your encryption is solid and the device-specific derivation method stays consistent across app updates. Takes some setup work upfront, but you get good security without depending entirely on external services.