Protecting API keys in app


Is we make an android app using Ionic, is there a way the remote user can extract the API key from the app package?


API keys should be fine if exposed, but secret keys are a different story.

Any client side app can be decompiled if the user is dedicated enough. Android apps can be decompiled to raw source code with just two commands. Doesn’t matter if they’re native or Ionic.

Be careful what you hard code.


So how do you go about storing/accessing secret keys?



To be honest, from the research myself and my team have done on the topic, it’s a problem that hasn’t really been solved, native or hybrid.

On native, the “best practice” is to split the key up into multiple encrypted files and put all the pieces together on runtime… security through obscurity.

But perhaps @max as some better advice. :slight_smile: