Hiding secret keys, credentials, and passwords from Gitlab repository
License and Copyright Notice
By submitting this issue or commenting on this issue, or contributing any content to this issue, you certify under the Developer Certificate of Origin that the content you post may be licensed under GPLv3 (for code) or CC-BY-SA 4.0 International (for non-code content).
Summary
Possible techniques that can be used to maintain the project's credentials hidden and not exposed publicly.
Current Behavior
While working on the database class, the password has to be constantly added to the codebase and then deleted when public commits are being made.
Benefits (Why is it necessary?)
Maintaining the project's credentials hidden from the public view will aid in keeping data secure such as passwords to the database where sensitive information is stored.
Relevant Screenshots
(Post any relevant screenshots here, such as a feature prototype image, etc.)
Techniques
-
Storing the secret variables in the gradle.properties file
-
View the project's directory in Project view instead of Android view.
-
Find the .gitignore file add gradle.properties to that file and save. (Crucial to not display secrets in the GitLab repository)
-
Return back to Android view and find the gradle.properties file
-
Store secret variables inside file and save. Double quotes ("") are required.
SECRET_PASSWORD="passwordgoeshere"
-
Find the build.gradle(Module) file and inside the defaultConfig object, add the following:
buildConfigField("String", "SECRET_PASSWORD", SECRET_PASSWORD)
-
Secret can now be used in any Java class with the following code:
String PASSWORD = BuildConfig.SECRET_PASSWORD;
-
-
Storing the secret variables in a created .properties file
-
View the project's directory in Project view instead of Android view.
-
Find the .gitignore file add <files_name_here>.properties (ie: credentials.properties) to that file and save. (Crucial to not display secrets in the GitLab repository)
-
Return back to Android view and create a file with the same name as specified in the .gitignore file
-
Store secret variables inside file and save. Double quotes ("") are required.
SECRET_PASSWORD="passwordgoeshere"
-
Find the build.gradle(Module) file and below the plugins add the following:
def credentialsPropertiesFile = rootProject.file("credentials.properties") def credentialsProperties = new Properties() credentialsProperties.load(new FileInputStream(credentialsPropertiesFile))
-
Inside the defaultConfig object, add the following:
buildConfigField("String", "SECRET_PASSWORD", credentialsProperties["SECRET_PASSWORD"])
-
Secret can now be used in any Java class with the following code:
String PASSWORD = BuildConfig.SECRET_PASSWORD;
-
-
Creating a UI that asks for credentials instead of storing them in the application codebase.
-
Tokens APIs can be used for authentication.
-
Android biometrics API can be used for authentication and quick access.
Relevant Logs
https://richardroseblog.wordpress.com/2016/05/29/hiding-secret-api-keys-from-git/
https://guides.codepath.com/android/Storing-Secret-Keys-in-Android