Android Question Store API keys for backends/services

[bluedude]

Hi,

A new app. called Packet Capture makes it very easy for any user/hacker to see what is going on in your app. when calling backends and external services. Even SSL traffic can easily be seen.

This brings up the discussion again how to savely call REST services inside B4A/Android when API keys need to be supplied.

I have tested several apps. with Packet Capture and indeed I can debug any api call in an easy way.

I don't see a solution for this problem except by using a public/private key combination which is not available in our toolset yet.

Security is becoming a real issue in Android this way.

Any working suggestions?

 

[Erel]

Is this an Android app? Can you post a link?

 

[Caronte]

I think it's this one:
https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture

 

[Erel]

Interesting. It probably creates a custom VPN connection.

Anyway, you cannot really hide anything inside the app. A good hacker will always be able to extract it.
It doesn't matter whether you use B4A or any other tool.

 

[bluedude]

Erel, sure you are right tool wise but this is a serious problem and we cannot neglect it. I'm using B4A so i'm asking the developer of my favorite tool how we should handle it in B4A.

More and more apps. are connected to backends so this becomes a bigger issues over time.

I think the best way is to turn to public/private key solutions in B4A but i'm not sure what would work.

I have several app. using backend services and I have done lots of work to hide keys in weird places. Till now it works but when it becomes very very easy to catch all traffic all API's become vunerable. In the end it actually does not make sense anymore to use API keys.

Going to look around for a solution myself. Someone has done this before on either IOS or Android.

Cheers.

 

[Erel]

Which type of keys are you trying to hide?
If this is a key such as AdMob key and someone is listening to the network traffic then it is technically impossible to hide it.

 

[Erel]

I'll just add that the proper way to obfuscate API keys is with process_global strings as these strings will be obfuscated.