Removing API secrets from your public Android source code
Hi, I'm Chris Dawson a dad and writer from Portland, OR, now living in Florida. My book is Building Tools with GitHub from O'Reilly. I'm an inventor, have started several companies and worked for several non-startups like Apple and eBay. I am sometimes available for hire as a consultant or part time contributor.

(Cross posted from the Teddy Hyde blog)

A few weeks ago I open sourced Teddy Hyde on GitHub. I had forgotten, however, that my source code included the private GitHub API client secret. I reset them on GitHub so the client secret I had accidentally publicized was no longer valid. Then, I began modifying the source code to make sure that I build with the new secret but don’t include that in the source code.

The way to do this is to use a buildConfigField inside your Gradle build file. If you add variables using this method, Gradle creates and builds a special class for you called BuildConfig which you can reference inside your other classes. I wanted to make sure that when I build the app I specify the secret from the command line to avoid checking it into the source code.

The relevant lines inside the build.gradle look like this:

     buildTypes {
          release {
              signingConfig signingConfigs.release
            buildConfigField "String", "GITHUB_CLIENT_ID",
          ""$System.env.GITHUB_CLIENT_ID""
            buildConfigField "String", "GITHUB_CLIENT_SECRET",
          ""$System.env.GITHUB_CLIENT_SECRET""
          }
      }

These pull the variable from the environment and stick them inside a string. I can then reference them inside my class files using the identifier BuildConfig.GITHUB_CLIENT_SECRET;

The command line to build my app then looks like this:

    GITHUB_CLIENT_SECRET=abcdef34545 GITHUB_CLIENT_ID=12332123123 PASSWORD=MyKeyPassPwd STORE_FILE=~/android/keystore gradle assembleRelease

I could optimize this by pulling from a file outside of the source root and avoid even having the client secret and password inside my bash history file, but this works for now.

Here is the full diff of the code on GitHub.

Subscribe to RSS by tags if you only want certain types of posts. Or, subscribe to all posts.
Download
---
title: "Removing API secrets from your public Android source code"
description: ""
category: 
tags: []
published: true
---

([Cross posted from the Teddy Hyde blog](http://blog.teddyhyde.com/2014/05/14/removing-api-secrets-from-your-public-androidsource-code/))

A few weeks ago I open sourced [Teddy Hyde on
GitHub](http://github.com/xrd/TeddyHyde). I had forgotten, however,
that my source code included the private GitHub API client secret. I
reset them on GitHub so the client secret I had accidentally
publicized was no longer valid. Then, I began modifying the source
code to make sure that I build with the new secret but don't include
that in the source code.  

The way to do this is to use a `buildConfigField` inside your Gradle
build file. If you add variables using this method, Gradle creates and
builds a special class for you called `BuildConfig` which you can
reference inside your other classes. I wanted to make sure that when I
build the app I specify the secret from the command line to avoid
checking it into the source code. 

The relevant lines inside the `build.gradle` look like this:

```
     buildTypes {
          release {
              signingConfig signingConfigs.release
            buildConfigField "String", "GITHUB_CLIENT_ID",
          "\"$System.env.GITHUB_CLIENT_ID\""
            buildConfigField "String", "GITHUB_CLIENT_SECRET",
          "\"$System.env.GITHUB_CLIENT_SECRET\""
          }
      }
```

These pull the variable from the environment and stick them inside a
string. I can then reference them inside my class files using the
identifier `BuildConfig.GITHUB_CLIENT_SECRET;`

The command line to build my app then looks like this:

```
    GITHUB_CLIENT_SECRET=abcdef34545 GITHUB_CLIENT_ID=12332123123 PASSWORD=MyKeyPassPwd STORE_FILE=~/android/keystore gradle assembleRelease
```

I could optimize this by pulling from a file outside of the source
root and avoid even having the client secret and password inside my
bash history file, but this works for now.

Here is the [full diff of the code on GitHub](https://github.com/xrd/TeddyHyde/commit/92a2341169228eedd880408ee29f2f86a77bc5b8#diff-02a7c9304e405f42506e9dd385cf17b8).
View source to this post
Other interesting things:
<
>
Webiphany.com
https://webiphany.com
1
2
3
4
5
6
7
8
9
10
11
12
Resume
GitHub
Twitter
Email
Powered by Svekyll