I’m building an Android app using Python Kivy and need to make API calls to external services. Right now I’m hardcoding my API credentials directly in the source code like this:
api_config = {
'service-url': "myservice.example.com",
'auth-token': "my-secret-token"
}
This approach worries me because anyone who decompiles the APK could easily find these sensitive values. I’m looking for better ways to handle this security issue.
Also, I want to be able to rotate these credentials without having to push app updates to users every time. What are some recommended approaches for keeping API secrets safe in mobile apps while also making key rotation seamless?
I encountered a similar problem while deploying my Kivy app and found a solution that might be useful. I recommend using Android’s encrypted SharedPreferences combined with a key exchange mechanism during application startup. Avoid hardcoding API keys; instead, save an encrypted bootstrap token that communicates with your backend to retrieve the actual credentials. My backend validates the bootstrap token alongside device fingerprinting before providing the API keys. For seamless rotation, I recommend polling every few hours to refresh the credentials in the background. Although this requires more initial setup, the enhanced security is invaluable.
yea, it’s tough to secure keys in mobile apps. I usually keep em on a backend too, fetchin them when needed with some auth layer. It adds a bit more security than hardcoding. Not saying it’s perfect, but def helps! hope this gives you some ideas.
Environment variables solved this exact problem for me. I inject keys through buildozer’s environment config during builds instead of hardcoding them. Keeps them out of the repo and makes decompilation tougher. But the real game changer? Certificate pinning plus a token refresh endpoint. My app validates my server’s certificate and swaps a device ID for tokens that expire every 24 hours. When they expire, the app grabs new ones automatically. No app store updates needed when I rotate credentials, and way smaller vulnerability window if keys get compromised.