How to Keep API Keys Out of GitHub Repositories

Written by marwaeltayeb | Published 2022/02/24
Tech Story Tags: programming | android-app-development | github | software-engineering | java | kotlin | api | repositories-on-github

TLDRWhen you upload your Android app on GitHub, you need to hide it as no one has access to it except you. It is not good to push your secret things into a public repository as other people could use up your limited API calls. Sharing of API keys becomes more of a concern if the API key authenticates someone for access to a subset of data. I am going to show you how you can hide your API key in a file called gradle.properties in the Gradle folder.via the TL;DR App

When you upload your Android app on GitHub, you need to hide it as no one has access to it except you. It is considered a security glitch, so that’s why it is important to hide your API key. I am going to show you how you can do that easily.

Some Developers store their API key in a String variable like this.

private static final String APK_KEY = "asjsdakf4d3ggs2ytm4x";

It is not good to push your secret things into a public repository as other people could use up your limited API calls. That’s probably the least concerning the situation. Sharing of API keys becomes more of a concern if the API key authenticates someone for access to a subset of data.

So, let’s see how we can do that.

  1. Add the API key to your local.properties file:

apiKey="Your Key"

  1. Add these two lines to the root level of your app-level build.gradle file:

def localProperties = new Properties()
localProperties.load(new FileInputStream(rootProject.file("local.properties")))

  1. Add this following line to your app-level build.gradle file:

android {
  
  defaultConfig {
     // ...
     buildConfigField "String", "API_KEY",localProperties['apiKey']
  }
    
}

4. Sync Gradle and build the project. You can now reference the key:

String apiKey = BuildConfig.API_KEY;

Another way to do that:

  1. First, create a file called gradle.properties in .gradle folder

- Drive C
 - Users folder
  - your user folder
   - .gradle folder
   Create it here
   - gradle.propertiesThen, write your APPNAME_API_KEY = "asjsdakf4d3ggs2ytm4x" inside it.
Save it as PROPERTIES File by enclosing with double quotes like this "gradle.properties"

  1. The next step is to go to module-level build.gradle file in your project

Then, put your API key for debug and release purposes under buildTypes tree.

buildConfigField ‘String’, “ApiKey”, APPNAME_API_KEY

It will be like this:

buildTypes {
        debug{
            buildConfigField 'String', "ApiKey", APPNAME_API_KEY
        }
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
            buildConfigField 'String', "ApiKey", APPNAME_API_KEY
        }
    }

Sync it.

  1. Last step, is to access your APK key in your Java file

private static final String API_KEY = BuildConfig.ApiKey;

If ApiKey goes red, press the “Make Project” button or use Ctrl+F9

Sounds pretty easy, does it?. Whenever you upload your Android project on GitHub, the person that uses your repository will not be able to figure out what your API key is. Therefore, you are secure NOW.

Find me on GitHub | LinkedIn | Twitter

Written by marwaeltayeb | Android Developer
Published by HackerNoon on 2022/02/24
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy