Hide key and credentials


#1

My complete project contains keys and other information which can not be hidden as fdroid only accept public repository because of security reasons .
If I don’t upload my app will not work properly.

What is the best way to hide them?

As fdroid only support public repository. So how can I avoid that.

Thanks
Biswajit


#2

Am I understanding your question correctly? You want to know how to hide what F-Droid says must be public?


#3

From the inclusion policy:

F-Droid does not sign up for any API keys. Even if provided by a third party, we include them in both, binary and sourcecode releases


#4

Many apps prompt the user to request API keys themselves (eg. weather APIs etc.) by providing them a link where they can get the code and a textbox in which they must paste the code.

It’s not the best was in terms of UX though.

Alternatively you could try to obfuscate the codes somehow (security through obscurity), but there will always be a way for potential attackers to get them.


#5

Actually my weather app need api key which is paid one not able to find out how to add it on public repo. Can I tag the app as asset so that fdroid will pickup that app from release branch? Really wanted to keep playstore and fdroid version same.


#6

I’m not sure what you mean by that. FDroid will in any case build your app from source code.


#7

@vanitasvitae yes. thats true. so there is actually no other way.


#8

API Keys are usually about rate limiting, not private access. So just include them in the source. They will be included in the APK anyway, and it is really easy to disassemble APKs to get the strings out of them. So putting them in the source only makes it slightly easier for someone to find.