I am developing an app and I have some credentials that I can use to save them in the assets folder, my question would be if a common user has access to that folder or is it safe to save the information there.
It helps me to save there because the app is a webview and from there I give it data.
let secret_client = ""; // PRIMERA INFO PRIVADA
let secret_token = ""; // SEGUNDA INFO PRIVADA
let url = ""; //
You can store the information inside
/assets
, but if this information is sensitive, this is not the place to be, as these values can be reverse engineered.Even nowadays if you want to upload an application to Google Play you can get a message like the following:
The correct thing in Android to hide sensitive information is to define this information within your file
gradle.properties
, example:and define the reference of these values inside the file
app/build.gradle
:When generating your project, the class will be generated
BuildConfig
that will contain the values and that you can assign to your application when compiling, and these cannot be obtained through reverse engineering.You can but it's unsafe.
Any information that you store in the project and is compiled could be accessible by a user that has root permissions .
If you want to prevent your application from being used by users who have root permissions, you can see this post or a similar one.
If you choose this path, it is much safer to put credentials in the app build.
However, there are strategies to ensure that your credentials are more difficult to obtain in the face of any attack.
I leave a couple of strategies
Mandatory Notice
No strategy ensures that your app is inaccessible / uncrackable. New security holes and new ways to obtain and hide sensitive data are being discovered all the time.
As a general rule, I think it is good, as far as possible, to be responsible with sensitive data and take measures to make it not so easy to obtain.