On the security of Google Secrets

From cryptax.medium.com

Google Secrets Gradle plugin is “for providing your secrets securely to your Android project”. I would like to make it clear in this article that it does not make your secrets safe to reverse engineering and that they remain very easy to recover. The intent is only to deport the secrets in a file that you do not commit in your versioning system. If this is clear to you, skip to the last section “how can I keep my secrets confidential”.

The disclaimer on the Google Secrets GitHub page is explicit:

DISCLAIMER: This plugin is primarily for hiding your keys from version control. Since your key is part of the static binary, your API keys are still recoverable by decompiling an APK. So, securing your key using other measures like adding restrictions (if possible) are recommended.

However, titles such as “How to Hide API and Secret Keys in Android Studio”, or “Hide your API keys on Android” can mislead developers and make them think this is sort of a secure storage facility. Don’t misunderstand me: I am not saying those links are wrong/bad, just that someone who reads them quickly will probably think Google Secrets is more than it is really.

Testing Google Secrets

I tested Google Secrets in a simple Android application. The secrets are stored in an external file, e.g secrets.properties, which should not be committed to git. That’s the whole and unique purpose of Google Secrets. The filename is configurable in your module build gradle. Follow this link to setup your Android project, and this link for a working example.

Read more…