I’m developing a mobile application using Python Kivy for Android devices. The app requires access to an API, which necessitates using a secret key and host information. I’m concerned about keeping this key secure while packaging the app.
Currently, I’ve embedded the API key right in the code like this:
My main issues are ensuring that my secret key isn’t easily discoverable within the APK file and being able to update this key independently of the app’s version to avoid forcing updates for users.
Can anyone suggest effective strategies or best practices to securely manage API keys in Kivy applications?
I’ve had good luck storing API keys in Android Keystore through a native extension. With buildozer, you can write a simple Java wrapper for keystore operations and call it from Python using pyjnius. The system encrypts the key and ties it to your app signature - way harder to extract even if someone decompiles your APK. You’ll need to set up the keystore on first launch and build in a fallback for corrupted keys, but it’s way more secure than plaintext. Downside is you still need app updates to change keys, but for sensitive apps the security boost is totally worth it.
I use environment variables plus obfuscation. Set up buildozer.spec to include environment variables at build time, then reference them in your code instead of hardcoding keys. For obfuscation, I encrypt keys with a simple XOR cipher using something device-specific like the installation ID. Not bulletproof, but makes casual reverse engineering way harder. The real win is pulling keys from a remote config service at startup - if the key changes, your app grabs the new one automatically without needing updates. Just add proper error handling for network failures and cache a working key locally as backup.
honestly, the easiest way i’ve found is using a backend proxy server. don’t store the real api key on the device at all - just have your app hit your own server endpoint and let that make the actual api calls. it’s a bit more work upfront, but way more secure and you can rotate keys without touching the app.