Protecting Your Android Project: Best Practices for Hiding API Keys on GitHub

Protecting Your Android Project: Best Practices for Hiding API Keys on GitHub

In today's interconnected world, integrating APIs into your Android projects has become almost inevitable. Whether you're building a weather app, a social media aggregator, or a finance tracker, APIs provide powerful functionality that can take your app to the next level. However, there's a critical security concern that often arises when working with APIs: how to keep your API keys safe.

API keys act as credentials that authenticate your app when accessing an API. They grant permission to use the services provided by the API and are crucial for the proper functioning of your application. However, if these keys fall into the wrong hands, they can be exploited for malicious purposes, leading to data breaches, unauthorized access, and potentially severe consequences for your users and your reputation as a developer.

GitHub is a popular platform for hosting code repositories and collaborating on projects. While it's an excellent tool for teamwork and open-source development, it's essential to be mindful of security risks, especially when dealing with sensitive information like API keys. Fortunately, there are several best practices you can follow to protect your API keys in an Android project on GitHub.

1. Use Environment Variables

One of the most effective ways to hide API keys is by storing them as environment variables. Environment variables are values that are set outside of the code and are accessible to the application at runtime. By using environment variables, you can keep your API keys out of your codebase entirely, preventing them from being accidentally exposed or leaked.

In an Android project, you can define your API keys as environment variables in the build configuration files (build.gradle). Here's an example of how you can do this:

Create a "" file in your projects root directory. There add a new item named API_KEY where you will declare your API Key.


Update your build.gradle.kts file (usually located in app/build.gradle.kts) to read the API key from, and then sync the project. Once the sync is complete, rebuild the project.

val localProperties = Properties()
val localPropertiesFile = rootProject.file("")
if(localPropertiesFile.exists()) {
    localPropertiesFile.inputStream().use {

android {
    defaultConfig {
            type = "String",
            name = "API_KEY",
            value = localProperties["API_KEY"].toString()

    buildFeatures {
        buildConfig = true

After rebuilding the project, a constant file will be generated containing the API key. Now you can access the API key in your code using BuildConfig.

object ApiConstant {
  const val api_key = BuildConfig.API_KEY

2. Use a Secret Management Tool

Consider using a dedicated secret management tool to securely store and manage your API keys. These tools offer features like encryption, access control, and audit trails to ensure that sensitive information remains protected. Some popular options include HashiCorp Vault, AWS Secrets Manager, and Google Cloud Secret Manager.

These tools provide APIs and SDKs that allow your application to retrieve the API keys securely at runtime without exposing them in your codebase. Integrating a secret management tool adds an extra layer of security and flexibility to your application's architecture.

3. Encrypt Your API Keys

Another approach to safeguarding your API keys is to encrypt them before committing them to your GitHub repository. You can use encryption algorithms like AES or RSA to encrypt the keys and then decrypt them in your application code at runtime.

However, managing encryption keys securely can be complex and requires careful consideration. Ensure that the encryption keys are stored separately from the encrypted data and are accessible only to authorized users or systems.

4. Add API Keys to .gitignore

As a basic precaution, add files containing API keys to your project's .gitignore file to prevent them from being accidentally committed to your GitHub repository. This approach is simple but relies on developers remembering to exclude sensitive files manually.

5. Review Code Before Committing

Before committing any changes to your GitHub repository, review your code carefully to ensure that you haven't inadvertently included any API keys or sensitive information. Incorporate code review practices into your development workflow to catch potential security issues early.


Protecting API keys in an Android project on GitHub requires a proactive approach to security. By using techniques like storing keys as environment variables, leveraging secret management tools, encrypting sensitive data, and following best practices for code management, you can significantly reduce the risk of unauthorized access and data breaches.

Remember that security is an ongoing process, and it's essential to stay vigilant and adapt to emerging threats. By prioritizing security from the outset and integrating it into your development practices, you can build robust and resilient Android applications that safeguard your users' data and privacy.