Securing Your Keys with Gradle Variables
How gradle variables and gitignore can save you from the pain of managing private keys.
Often times I find myself in a situation where I have made a fine looking app that I want to share with the open source world, but worry that my app code contains several keys and ids that might get misused .
In other times, there is this situation that I have to deploy an app to production using a particular
id that is different from the current
id that I am using for development.
Both of these cases always bug me and I was looking for a solution about these for quite a while. So recently I came across this github repo whose gradle file made me curious to research and share my findings .
I found that there are a lot of ways to handle such problems, but the most simple way would need just changes in the
.gitignore file ,and the
app/build.gradle file using something called Gradle Variables.
So just to summarize, here is a hypothetical scenario:
- I am using a particular
o1234abcd) that would be used to access a particular news server. I want to share my app on github, but that key is precious to me and if misused, might cost me .
- I also bought a premium plan of that news server and now i have an even more precious key (say
p1234abcd) . I only want to use this key in my release built , and nowhere else.
Both of these cases are handled pretty well by gradle variables.
Some Practical implementation.
We can manage our keys using gradle variables in only 3 simple steps:
- we create a folder in project root say
secureand add some properties files:
for debug , we add the following content in
KEY_USER = "o1234abcd"
for release, we add in
KEY_USER = "p1234abcd"
2. then we access the variables from properties file in
3. then we can simply access the keys in activity or anywhere else using the following code(note: you would need to rebuild your project before this segment works):
val key = BuildConfig.KEY_USER
and you are done! The next time you sign your app and create a release version, the
KEY_USER from the
release_creds.properties file will automatically get picked for the signed app while the debug key from the
debug_creds.properties file would be used every time you create a build using the top green arrow.
If you want to share your code on a public git based platform, like github or gitlab, but don’t wanna share your keys, then you can simply add add the line
secure/* in a
.gitignore file. this will let git know that the content in
secure folders does not need to be pushed to repo.
That’s all folks! I have also creates a sample repo here and included some links for more info. Do press that👋 if you liked it . Suggestions and discussions are always welcome in the comments!
This is Ansh Sachdeva Signing off👋