I wrote the API Key in the local.properties file like most people recommend, and then saved it in BuildConfig using com.google.android.libraries.mapsplatform.secrets
so that it can be referenced in code.
And when I reviewed it in the Google console, I got an error message saying that the aws key obtained by referring to BuildConfig in the class that extends Application is not suitable for security.
The message was referring to the line that referenced BuildConfig exactly as well as Class.
After receiving the error message, I obfuscated it using proguard, and the error referring to the line disappeared, but the error referring to the class itself remains.
this is the error message
(1) Amazon Web Services credentials may be exposed
Your Amazon Web Services credentials may be exposed.
This exposure of your credentials could lead to unauthorized access to your AWS account, which may include associated excessive charges, and potentially unauthorized access to your data and your users' data.
(2) Leaked AWS credentials Your app contains Exposed Amazon Web Services Credentials.
Vulnerable classes:
com.{myPackage}.GlobalApplication
sv:deadline:05/23/2022
What should I do?
CodePudding user response:
BuildConfig
class is actually plain text in your APK.
The safest way to go (as I understand it) is storing it remotely (feel free to use whatever service you wish), then fetch the key in runtime.
You may cache it encrypted using Android Crypto library while the random encryption key is safely stored in AndroidKeyStore
.
Before fetching the API key, verify that:
- Your app is not being debbugged (some
isDebbuging
function orisDebbuged
, as far as I remember). - Your app was not repackaged by validating the hash of the certificate used to sign your app.
These are the base security measures I could think of, There are much more ways to fortify your app & access.
Even though it's not your case it worth mentioning that sometimes, to make the code much simpler, you knowingly agree to save the API key as plain text. This is for cases you know and accept the price of stealing the API key - mostly if the API cannot be used to fetch sensitive data.