This plugin allows any Android developer to deeply hide secrets in its project. It is an OSS equivalent of what DexGuard can offer to prevent credentials harvesting.
It uses a combination of obfuscation techniques to do so :
- secret is obfuscated using the reversible XOR operator, so it never appears in plain sight,
- obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
- the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
- optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add a security layer.
This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.
This gradle plugin can be used with any Android project in Java or Kotlin.
In your Module level build.gradle
:
plugins {
id "com.klaxit.hiddensecrets" version "0.2.1"
}
ℹ️ If your project sync triggers the issue Could not find com.android.tools.build:gradle:X.Y.Z
, please use the legacy plugin application below.
Add these lines at the beginning of your Module level build.gradle
:
buildscript {
repositories {
google()
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "com.klaxit.hiddensecrets:HiddenSecretsPlugin:0.2.1"
}
}
apply plugin: 'com.klaxit.hiddensecrets'
For more details about the installation check the plugin's page on gradle.org.
Obfuscate and hide your key in your project :
./gradlew hideSecret -Pkey=yourKeyToObfuscate [-PkeyName=YourSecretKeyName] [-Ppackage=com.your.package] [-PcertKey=xxxxxxxdddddddddxxxxxxdddddddd]
The parameter keyName
is optional, by default the key name is randomly generated.
The parameter package
is optional, by default the applicationId
of your project will be used.
Enable C++ files compilation by adding this lines in the Module level build.gradle
:
android {
...
// Enable NDK build
externalNativeBuild {
cmake {
path "src/main/cpp/CMakeLists.txt"
}
}
}
👏 Now you can get your secret key from Java/Kotlin code by calling :
// Kotlin
val key = Secrets().getYourSecretKeyName(Certificate().getCertificate(context))
// Java
final String key = new Secrets().getYourSecretKeyName(new Certificate().getCertificate(context))
You can improve the security of your keys by using your own custom encoding / decoding algorithm. The keys will be persisted in C++, additionally encoded using your custom algorithm. The decoding algorithm will also be compiled. So an attacker will also have to reverse-engineer it from compiled C++ to find your keys.
As an example, we will use a rot13 algorithm to encode / decode our key. Of course, don't use rot13 in your own project, it won't provide any additional security. Find your own "secret" encoding/decoding algorithm!
After a rot13 encoding your key yourKeyToObfuscate
becomes lbheXrlGbBoshfpngr
.
Add it in your app :
./gradlew hideSecret -Pkey=lbheXrlGbBoshfpngr -PkeyName=YourSecretKeyName
Then in secrets.cpp
you need to add your own decoding code in customDecode
method:
void customDecode(char *str) {
int c = 13;
int l = strlen(str);
const char *alpha[2] = { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
int i;
for (i = 0; i < l; i++)
{
if (!isalpha(str[i]))
continue;
if (isupper(str[i]))
str[i] = alpha[1][((int)(tolower(str[i]) - 'a') + c) % 26];
else
str[i] = alpha[0][((int)(tolower(str[i]) - 'a') + c) % 26];
}
}
This method is automatically called and will revert the rot13 applied on your key when you will call :
Secrets().getYourSecretKeyName(certKey)
You can generate secrets from properties file as well.
If you are using CI system to provide secrets, that are not hard-coded into the repository itself. It will re-generate those secrets in the app and build it.
This is useful if you want to split production keys from repository itself, thus increasing security in your project repository.
- Create a new properties file in root project directory.
credentials.properties
- Fill in wanted secrets. For ex.:
keyName1=yourKeyToObfuscate1
keyName2=yourKeyToObfuscate2
- Run
./gradlew hideSecretFromPropertiesFile -PpropertiesFileName=credentials.properties
It will regenerate all secret files in the project and update all secrets from the properties file.
Copy required files to your project :
./gradlew copyCpp
./gradlew copyKotlin [-Ppackage=your.package.name]
Create an obfuscated key and display it :
./gradlew obfuscate -Pkey=yourKeyToObfuscate [-Ppackage=com.your.package]
This command can be useful if you modify your app's package name based on buildTypes
configuration. With this command you can get the obfuscated key for a different package name and manually integrate it in another function in secrets.cpp
.
Pull Requests are very welcome!
To get started, checkout the code and run ./gradlew build
to create the .jar
file in /build/libs/
.
Before opening a PR :
- make sure that you have tested your code carefully
./gradlew test
must succeed./gradlew detekt
must succeed to avoid any style issue
See the list of contributors who participated in this project.
Please see LICENSE