How to protect API keys and secrets in mobile apps

You can encrypt or break up the strings in your source code and only join them at runtime to make it harder for an attacker to extract your keys. Alternatively, you can use tools such as ProGuard or DexGuard to obfuscate your code.

However, these approaches only make it harder, not impossible and a determined attacker will always be able to extract strings from symbol table.

This is true of almost all web services such as AWS, Firebase, Facebook etc

Therefore, we recommend using user authentication to ensure that even if someone has the API key and can communicate with an API, they must then authenticate before they can do anything with it.

Uday Ogra

Connect with me at and lets have some healthy discussion :)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *