Hide key and credentials

My complete project contains keys and other information which can not be hidden as fdroid only accept public repository because of security reasons .
If I don’t upload my app will not work properly.

What is the best way to hide them?

As fdroid only support public repository. So how can I avoid that.


Am I understanding your question correctly? You want to know how to hide what F-Droid says must be public?

From the inclusion policy:

F-Droid does not sign up for any API keys. Even if provided by a third party, we include them in both, binary and sourcecode releases


Many apps prompt the user to request API keys themselves (eg. weather APIs etc.) by providing them a link where they can get the code and a textbox in which they must paste the code.

It’s not the best was in terms of UX though.

Alternatively you could try to obfuscate the codes somehow (security through obscurity), but there will always be a way for potential attackers to get them.

1 Like

Actually my weather app need api key which is paid one not able to find out how to add it on public repo. Can I tag the app as asset so that fdroid will pickup that app from release branch? Really wanted to keep playstore and fdroid version same.

I’m not sure what you mean by that. FDroid will in any case build your app from source code.

@vanitasvitae yes. thats true. so there is actually no other way.

API Keys are usually about rate limiting, not private access. So just include them in the source. They will be included in the APK anyway, and it is really easy to disassemble APKs to get the strings out of them. So putting them in the source only makes it slightly easier for someone to find.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.