Securing Your Keys with Gradle Variables

How gradle variables and gitignore can save you from the pain of managing private keys.

photo by Moja Msanii on unsplash
Photo by Moja Msanii on Unsplash

ften times I find myself in a situation where I have made a fine looking app that I want to share with the open source world, but worry that my app code contains several keys and ids that might get misused .

In other times, there is this situation that I have to deploy an app to production using a particular id that is different from the current id that I am using for development.

Both of these cases always bug me and I was looking for a solution about these for quite a while. So recently I came across this github repo whose gradle file made me curious to research and share my findings .

I found that there are a lot of ways to handle such problems, but the most simple way would need just changes in the .gitignore file ,and the app/build.gradle file using something called Gradle Variables.


So just to summarize, here is a hypothetical scenario:

  1. I am using a particular api key (say o1234abcd ) that would be used to access a particular news server. I want to share my app on github, but that key is precious to me and if misused, might cost me .
  2. I also bought a premium plan of that news server and now i have an even more precious key (say p1234abcd ) . I only want to use this key in my release built , and nowhere else.

Both of these cases are handled pretty well by gradle variables.

ome Practical implementation.

We can manage our keys using gradle variables in only 3 simple steps:

  1. we create a folder in project root say secure and add some properties files:

for debug , we add the following content in file:

KEY_USER = "o1234abcd"

for release, we add in file:

KEY_USER = "p1234abcd"
The repository would look something like this.

2. then we access the variables from properties file in app/build.gradle

3. then we can simply access the keys in activity or anywhere else using the following code(note: you would need to rebuild your project before this segment works):

val key = BuildConfig.KEY_USER

and you are done! The next time you sign your app and create a release version, the KEY_USER from the file will automatically get picked for the signed app while the debug key from the file would be used every time you create a build using the top green arrow.

If you want to share your code on a public git based platform, like github or gitlab, but don’t wanna share your keys, then you can simply add add the line secure/* in a .gitignore file. this will let git know that the content in secure folders does not need to be pushed to repo.

End Notes

That’s all folks! I have also creates a sample repo here and included some links for more info. Do press that👋 if you liked it . Suggestions and discussions are always welcome in the comments!

This is Ansh Sachdeva Signing off👋


curiously fiddling around with tech |