Protecting your api key in android

Question

I was making an application using TMDB api and have been making a few REST requests in order to fetch the requested data. I was wondering if it was possible for a hacker to sniff the url and retrieve the api key, as the key is present in the url.

If yes, how shall I protect the key?

Answer 1

Simply put, you cannot protect your API key as long as it remains in the android application. Even if you encrypt the API key somehow, people who reverse engineer your app (decompiling) can retrieve the API key, as your decryption key also needs to be somewhere in the APK (otherwise your app cannot use the API key).

The only solution is to off-load the processing with the API key to your own server, and have a secure way of letting your app communicating with that server (meaning SSL).

That way, you move to a single point-of-failure security-wise (your server) instead of a huge number of mobile apps that can be reverse-engineerd and are difficult to track (different versions installed over time)

Answer 2

There are a couple of solutions but not all are easy to pull off.

If you are afraid of man-in-the-middle attacks when doing HTTP requests you might want to consider using HTTPS. Then all data, including URL, is encrypted. This is highly dependent on the server since it is the server that must handle the HTTPS requests instead of HTTP.

If you are afraid of people reverse-engineering your dexed and compiled apk. You might want to consider obfuscation. This will make your apk not un-reversable but at least much hard to do so.