[FR]: Securing Unsplash API Key in APK – Best Practices?

[Zorodebug5]

Is there an existing issue for this?

• I have searched the existing issues

Describe the problem

I’m currently integrating the Unsplash API into an Android app and I’m concerned about securing the API key inside the APK.

Right now, storing the key in the client feels unsafe. It’s quite easy to intercept traffic using tools like firda extract the API key from network requests.

I’d like to understand how you approach API key security in production apps:

Describe the solution

I did not find any safe way

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[guyslumclubxx]

Is there an existing issue for this?

• I have searched the existing issues

Describe the problem

I’m currently integrating the Unsplash API into an Android app and I’m concerned about securing the API key inside the APK.

Right now, storing the key in the client feels unsafe. It’s quite easy to intercept traffic using tools like firda extract the API key from network requests.

I’d like to understand how you approach API key security in production apps:

Describe the solution

I did not find any safe way

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[victor-denisenko]

Any Api key stored inside Apk can be compromised, even if encrypted.

Suggestions:

1. Don't store sensitive information inside apk.

2. If key provided by the user at runtime in any way, use EncryptedSharedPreferences from Jetpack Security or Android Keystore System to store it securely on the device.

3. If key provided to users by the app creator, then create your own backend server and route all Api calls through it. In this way key will be stored only on your server.

[amEya911]

You're right to be concerned about storing API keys directly in a mobile app. Since the APK can be reverse engineered and network traffic can be inspected, it's generally not possible to keep a client-side API key completely secure.

In production apps, the common approach is to avoid exposing the third-party API key in the client at all. Instead, the app communicates with a backend service, and that backend securely stores the API key and makes the requests to the external API.

If using a backend isn't possible, there are a few mitigations that are sometimes used, such as restricting the API key (if the provider supports it), monitoring usage and rate limits, or obfuscating the key in the APK. But these only reduce risk rather than fully securing it.

For a sample project like this one, it might be acceptable to keep the key in local.properties or BuildConfig since the focus is on demonstrating the app architecture rather than production-grade security. It could still be useful to document this so that developers understand the limitations.

[Zorodebug5]

but how firebase and googleservice.json file help?

[Zorodebug5]

the usage limit is killing me app