Best way to store secret keys in Android applications

Question 1

Yes, you can create a folder outside of source control, put a file called app.properties in there, put your key in that properties file and add the folder to your build path. Then use a properties loader to load it from the classpath.

If you have many developers or more than one dev machine, you can set the local properties location as a variable in your build path so that each developer can configure their own.

Question 2

One option is to put the key in an environment variable and then read it during your build.

in your pom.xml declare a property (secret.key)

<properties>
   <secretKey>${env.SECRET_KEY}</secretKey>
<properties>

further down enable "filtering" on your resources

  <resource>
        <directory>src/main/resources</directory>
        <filtering>true</filtering>
  </resource>

In resources maintain a "config.properties" to read with the variable ready for substitution:

secret_key=${secretKey}

Filtering in maven will replace ${secret.key} with the value from your environment variable.

If you are using gradle for your build with Android studio see section 16.6.6.2 on filtering files.

Within build.gradle add the following

import org.apache.tools.ant.filters.FixCrLfFilter
import org.apache.tools.ant.filters.ReplaceTokens

task copyProductionConfig(type: Copy) {
  from 'source'
  include 'config.properties'
  into 'build/targetpath/config'
  expand([
    secretKey: System.getenv("SECRET_KEY")

  ])
}

In gradle you can also request input when you run gradlew using

Console console = System.console()
def password = console.readPassword("Enter Secret Key: ")

And then apply it to the appropriate config or source files.