Source: https://www.learnhowtoprogram.com/androi…ts/managing-api-keys
Capture Date: 03.07.2018 21:28:06
In the previous lesson we acquired the secret access token we’ll use to request information from the Yelp Fusion API. But as you know, API keys, tokens, and credentials should not be stored directly in source code pushed to GitHub. This simply isn’t secure; especially if the API has a rate limit, charges for use, or provides access to sensitive information. We don’t want others obtaining our credentials!
Thankfully we can easily conceal our API keys, similar to what we did in JavaScript. The process is a tad different in Android, but we think you’ll get the hang of it quickly. In this lesson we’ll discuss how to obfuscate API credentials in Android apps, as we walk through integrating our Yelp access token into MyRestuarants. Once our API key is safely integrated we’ll begin constructing our first API call in upcoming lessons.
Hiding API Keys
1. Add Credentials to gradle.properties
First, we’ll add our new token the gradle.properties file located in the root directory. gradle.properties is simply a file where properties and configuration settings for gradle-built projects reside.
gradle.properties
YelpToken = "Bearer YOUR-UNIQUE-ACCESS-TOKEN-HERE"
We must include a space between Bearer
and the access token itself. And the term Bearer
must be capitalized. This format looks a little funny compared to API credentials you’ve likely seen in the past, but it’s simply what this particular API requires. If we don’t follow this exact format, we won’t be able to successfully retrieve data.
2. Ignore gradle.properties
Next, let’s hide our gradle.properties file from GitHub by adding it to .gitignore so that the credentials we just listed will not be pushed to Github:
.gitignore
*.iml ... /gradle.properties
If you don’t see a .gitignore file in your project’s directory, you may have to switch from Android view to Project view in Android Studio. The Android view displays only the key source files of an Android project, whereas Project displays all files.
If you’ve already committed gradle.properties file to your Git repository you’ll have to retroactively remove it in order to begin ignoring it moving forward. To remove files listed in r .gitignore from your local repository, run the following command:
$ git rm --cached -r .
This will reset which files are staged for committing. You should be able to run $ git status
, and see that all files are unstaged (including gradle.properties). After this, you can $ git add .
and $ git commit -m "your commit message"
again, and your new commit should not contain gradle.properties. For more details, check out the Removing Ignored Files from a Project section in this Java lesson.
3. Initialize String Constants
Next we’ll create a class to contain references to our Yelp credentials. Right-click on the primary package containing our source code and select New > Java Class. Name this new class Constants.java:
Within this file we’ll include the following code referencing the access token from gradle.properties:
Constants.java
public class Constants { public static final String YELP_TOKEN = BuildConfig.YELP_TOKEN; }
Here, we’re instructing the application that the value for our YELP_TOKEN
constant can be found in the BuildConfig
file. BuildConfig.java is a file that is generated automatically when gradle builds our project. You’ll likely receive an error when you add the code above. But that’s alright, this is simply because we haven’t added YELP_TOKEN
to our Build Config yet. We’ll do this next.
4. Connect Credentials When the Project Builds
Next, let’s instruct our application to include our token in the BuildConfig file when it is created. We’ll add the following to our build.gradle file:
build.gradle(Module: app)
apply plugin: 'com.android.application' android { ... buildTypes.each { it.buildConfigField 'String', 'YELP_TOKEN', YelpToken } }
Here we’re instructing our application to include the token placed in gradle.properties in the BuildConfig file when it is built. The keys in our Constants.java class will now refer to the strings added to gradle.properties at runtime. And none of our credentials will be visible on GitHub!