anguzo
commented
3 months ago @ethanonfire When you create an APK, the code is stored in "dex" format, which can be reverse-engineered using tools like jadx. While the minified code is hard to read, it is not impossible to decipher. If your code contains secrets (e.g., passwords, tokens) as strings, these can be extracted from the APK.
Consider you need to access the OpenWeather API using an API key. Without a backend, the only place to store the token is in your app. As a skilled developer, you know storing the API key in your repository is bad practice. Instead, you use local.properties and read the key with Gradle to save it as BuildConfig.API_KEY in your app. However, if the APK is decompiled, BuildConfig.API_KEY will appear as a constant, with your API key stored as a plain string.
This is before using the hidden-secrets-gradle-plugin. After correctly implementing this plugin, your API key will be buried deeper within your application. It will still be retrievable, but it will require more skill from the hacker. A skilled hacker might not be interested in hacking a simple weather application.
This is one of many ways to secure your app and might be the only justifiable method if your app is the sole place to store your secret (e.g., if you don't use a backend or don't use Firebase).
can anyone explain briefly what are the differences between applying this plugin vs minify on android apps?
thanks!