klaxit / Hidden Secrets Gradle Plugin
Programming Languages
Projects that are alternatives of or similar to Hidden Secrets Gradle Plugin
Gradle plugin to deeply hide secrets on Android
This plugin allows any Android developer to deeply hide secrets in its project. It is an OSS equivalent of what DexGuard can offer to prevent credentials harvesting.
It uses a combination of obfuscation techniques to do so :
- secret is obfuscated using the reversible XOR operator so it never appears in plain sight,
- obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot / put together from a disassembly,
- the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the compiler from disclosing the secret by optimizing the de-obfuscation logic),
- optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add an additional security layer.
This plugin is used in production at Klaxit - Covoiturage quotidien. Our engineering team at Klaxit will provide its best effort to maintain this project.
⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.
Compatibility
This gradle plugin can be used with any Android project in Java or Kotlin.
1 - Install the plugin
Using the plugins DSL
In your app level build.gradle
:
plugins {
id "com.klaxit.hiddensecrets" version "X.Y.Z"
}
Using legacy plugin application
Add these lines in your app level build.gradle
:
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "com.klaxit.hiddensecrets:HiddenSecretsPlugin:X.Y.Z"
}
}
apply plugin: 'com.klaxit.hiddensecrets'
For more details about the installation check the plugin's page on gradle.org.
2 - Hide secret key in your project
Obfuscate and hide your key in your project :
./gradlew hideSecret -Pkey=yourKeyToObfuscate [-PkeyName=YourSecretKeyName] [-Ppackage=com.your.package]
The parameter keyName
is optional, by default the key name is randomly generated.
The parameter package
is optional, by default the applicationId
of your project will be used.
3 - Get your secret key in your app
Enable C++ files compilation by adding this lines in the app level build.gradle
:
android {
...
// Enable NDK build
externalNativeBuild {
cmake {
path "src/main/cpp/CMakeLists.txt"
}
}
}
👏 Now you can get your secret key from Java/Kotlin code by calling :
// Kotlin
val key = Secrets().getYourSecretKeyName(packageName)
// Java
final String key = new Secrets().getYourSecretKeyName(getPackageName());
4 - (Optional) Improve your key security
You can improve the security of your keys by using your own custom encoding / decoding algorithm. The keys will be persisted in C++, additionally encoded using your custom algorithm. The decoding algorithm will also be compiled. So an attacker will also have to reverse-engineer it from compiled C++ to find your keys.
As an example, we will use a rot13 algorithm to encode / decode our key. Of course, don't use rot13 in your own project, it won't provide any additional security. Find your own "secret" encoding/decoding algorithm!
After a rot13 encoding your key yourKeyToObfuscate
becomes lbheXrlGbBoshfpngr
.
Add it in your app :
./gradlew hideSecret -Pkey=lbheXrlGbBoshfpngr -PkeyName=YourSecretKeyName
Then in secrets.cpp
you need to add your own decoding code in customDecode
method:
void customDecode(char *str) {
int c = 13;
int l = strlen(str);
const char *alpha[2] = { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
int i;
for (i = 0; i < l; i++)
{
if (!isalpha(str[i]))
continue;
if (isupper(str[i]))
str[i] = alpha[1][((int)(tolower(str[i]) - 'a') + c) % 26];
else
str[i] = alpha[0][((int)(tolower(str[i]) - 'a') + c) % 26];
}
}
This method is automatically called and will revert the rot13 applied on your key when you will call :
Secrets().getYourSecretKeyName(packageName)
Other available commands
Copy files
Copy required files to your project :
./gradlew copyCpp
./gradlew copyKotlin [-Ppackage=your.package.name]
Obfuscate
Create an obfuscated key and display it :
./gradlew obfuscate -Pkey=yourKeyToObfuscate [-Ppackage=com.your.package]
This command can be useful if you modify your app's package name based on buildTypes
configuration. With this command you can get the obfuscated key for a different package name and manually integrate it in another function in secrets.cpp
.
Development
Pull Requests are very welcome!
To get started, checkout the code and run ./gradlew build
to create the .jar
file in /build/libs/
.
Before opening a PR :
- make sure that you have tested your code carefully
-
./gradlew test
must succeed -
./gradlew detekt
must succeed to avoid any style issue
Authors
See the list of contributors who participated in this project.
License
Please see LICENSE