Gradle plugin to deeply hide secrets on Android
This plugin allows any Android developer to deeply hide secrets in its project. It is an OSS equivalent of what DexGuard can offer to prevent credentials harvesting.
It uses a combination of obfuscation techniques to do so :
- secret is obfuscated using the reversible XOR operator, so it never appears in plain sight,
- obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
- the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
- optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add a security layer.
This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.
Compatibility
This gradle plugin can be used with any Android project in Java or Kotlin.
1 - Install the plugin
Using the plugins DSL
In your Module level build.gradle
:
plugins {
id "com.klaxit.hiddensecrets" version "0.2.1"
}
Could not find com.android.tools.build:gradle:X.Y.Z
, please use the legacy plugin application below.
Using legacy plugin application
Add these lines at the beginning of your Module level build.gradle
:
buildscript {
repositories {
google()
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "com.klaxit.hiddensecrets:HiddenSecretsPlugin:0.2.1"
}
}
apply plugin: 'com.klaxit.hiddensecrets'
For more details about the installation check the plugin's page on gradle.org.
2 - Hide secret key in your project
Obfuscate and hide your key in your project :
./gradlew hideSecret -Pkey=yourKeyToObfuscate [-PkeyName=YourSecretKeyName] [-Ppackage=com.your.package]
The parameter keyName
is optional, by default the key name is randomly generated.
The parameter package
is optional, by default the applicationId
of your project will be used.
3 - Get your secret key in your app
Enable C++ files compilation by adding this lines in the Module level build.gradle
:
android {
...
// Enable NDK build
externalNativeBuild {
cmake {
path "src/main/cpp/CMakeLists.txt"
}
}
}
// Kotlin
val key = Secrets().getYourSecretKeyName(packageName)
// Java
final String key = new Secrets().getYourSecretKeyName(getPackageName());
4 - (Optional) Improve your key security
You can improve the security of your keys by using your own custom encoding / decoding algorithm. The keys will be persisted in C++, additionally encoded using your custom algorithm. The decoding algorithm will also be compiled. So an attacker will also have to reverse-engineer it from compiled C++ to find your keys.
As an example, we will use a rot13 algorithm to encode / decode our key. Of course, don't use rot13 in your own project, it won't provide any additional security. Find your own "secret" encoding/decoding algorithm!
After a rot13 encoding your key yourKeyToObfuscate
becomes lbheXrlGbBoshfpngr
.
Add it in your app :
./gradlew hideSecret -Pkey=lbheXrlGbBoshfpngr -PkeyName=YourSecretKeyName
Then in secrets.cpp
you need to add your own decoding code in customDecode
method:
void customDecode(char *str) {
int c = 13;
int l = strlen(str);
const char *alpha[2] = { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
int i;
for (i = 0; i < l; i++)
{
if (!isalpha(str[i]))
continue;
if (isupper(str[i]))
str[i] = alpha[1][((int)(tolower(str[i]) - 'a') + c) % 26];
else
str[i] = alpha[0][((int)(tolower(str[i]) - 'a') + c) % 26];
}
}
This method is automatically called and will revert the rot13 applied on your key when you will call :
Secrets().getYourSecretKeyName(packageName)
Going further
Generate secrets from properties file
You can generate secrets from properties file as well.
Use case
If you are using CI system to provide secrets, that are not hard-coded into the repository itself. It will re-generate those secrets in the app and build it.
This is useful if you want to split production keys from repository itself, thus increasing security in your project repository.
Setting up
- Create a new properties file in root project directory.
credentials.properties
- Fill in wanted secrets. For ex.:
keyName1=yourKeyToObfuscate1
keyName2=yourKeyToObfuscate2
- Run
./gradlew hideSecretFromPropertiesFile -PpropertiesFileName=credentials.properties
It will regenerate all secret files in the project and update all secrets from the properties file.
Other available commands
Copy files
Copy required files to your project :
./gradlew copyCpp
./gradlew copyKotlin [-Ppackage=your.package.name]
Obfuscate
Create an obfuscated key and display it :
./gradlew obfuscate -Pkey=yourKeyToObfuscate [-Ppackage=com.your.package]
This command can be useful if you modify your app's package name based on buildTypes
configuration. With this command you can get the obfuscated key for a different package name and manually integrate it in another function in secrets.cpp
.
Development
Pull Requests are very welcome!
To get started, checkout the code and run ./gradlew build
to create the .jar
file in /build/libs/
.
Before opening a PR :
- make sure that you have tested your code carefully
./gradlew test
must succeed./gradlew detekt
must succeed to avoid any style issue
Authors
See the list of contributors who participated in this project.
License
Please see LICENSE