Securing Your Keys with Gradle Variables

How gradle variables and gitignore can save you from the pain of managing private keys.

Photo by Moja Msanii on Unsplash

Often times I find myself in a situation where I have made a fine looking app that I want to share with the open source world, but worry that my app code contains several keys and ids that might get misused .

In other times, there is this situation that I have to deploy an app to production using a particular id that is different from the current id that I am using for development.

Both of these cases always bug me and I was looking for a solution about these for quite a while. So recently I came across this github repo whose gradle file made me curious to research and share my findings .

I found that there are a lot of ways to handle such problems, but the most simple way would need just changes in the .gitignore file ,and the app/build.gradle file using something called Gradle Variables.

Requirement.

So just to summarize, here is a hypothetical scenario:

1. I am using a particular api key (say o1234abcd ) that would be used to access a particular news server. I want to share my app on github, but that key is precious to me and if misused, might cost me .
2. I also bought a premium plan of that news server and now i have an even more precious key (say p1234abcd ) . I only want to use this key in my release built , and nowhere else.

Both of these cases are handled pretty well by gradle variables.

Some Practical implementation.

We can manage our keys using gradle variables in only 3 simple steps:

1. we create a folder in project root say secure and add some properties files:

for debug , we add the following content in debug_creds.properties file:

KEY_USER = "o1234abcd"

for release, we add in release_creds.properties file:

KEY_USER = "p1234abcd"

The repository would look something like this.

2. then we access the variables from properties file in app/build.gradle

3. then we can simply access the keys in activity or anywhere else using the following code(note: you would need to rebuild your project before this segment works):

val key = BuildConfig.KEY_USER

and you are done! The next time you sign your app and create a release version, the KEY_USER from the release_creds.properties file will automatically get picked for the signed app while the debug key from the debug_creds.properties file would be used every time you create a build using the top green arrow.

If you want to share your code on a public git based platform, like github or gitlab, but don’t wanna share your keys, then you can simply add add the line secure/* in a .gitignore file. this will let git know that the content in secure folders does not need to be pushed to repo.

End Notes

That’s all folks! I have also creates a sample repo here and included some links for more info. Do press that👋 if you liked it . Suggestions and discussions are always welcome in the comments!

This is Ansh Sachdeva Signing off👋

Credits

• https://riptutorial.com/android/example/2542/define-and-use-build-configuration-fields
• https://guides.codepath.com/android/Storing-Secret-Keys-in-Android
• https://developer.android.com/reference/tools/gradle-api/com/android/build/api/variant/BuildConfigField