Existential crisis

[houmie]

Hey guys,

I'm doubting my approach, if my API token is protected by this plugin like this:

val headers = HashMap<String, String>()
headers["api-token"] = Secrets().getApiTokenProd(requireContext().packageName)
ApiService.getServerStatus(headers) ()

Couldn't the the hacker that got his hands on the code via disassembly simply set a breakpoint there and read the token? How have I protected the token then? 🤔

[ben-j69]

Hello @houmie , as said in the Readme nothing is unbreakable. But a hacker should not be able to execute your code in an IDE with all keys set up inside.

If your are worried about your code accessibility in production I encourage you to use obfuscation of your code provided by , for example, proguard.

[houmie]

Hi Ben,

Thank you for your reply. Yes, you are right. They can see the code after a disassembly but they won't be able to run it in a IDE like I would do. Hence it's important to hide the obvious tokens from plain sight, so that they can't read them to access the API.

I have one last question. Why is it the name -PkeyName usually autogenerated, unless explicitly specified? If they can't read the key value, why does it matter that I named it ProductionToken or something unrecognisable?

Thanks, Houman

[ben-j69]

@houmie your code can be extracted and some value can be read. The key is random by default but you can provide the name you want. It is your choice.

To understand more how works this library, you can decompile your apk file and see what hackers can see with apktool: https://ibotpeaches.github.io/Apktool/