Security for my access data

I’m using the following way in my Android code:


My question is how much to regain. Based on reverse engineering, could someone decompile my APK and get my security data (Client_ID and API_Key)?
Based on your experience, what is the best way to deal with it?

Hi @laelsonc! Have you read our Security Best Practices, especially the API Keys in Mobile Applications section?

We recommend that you:

  • Don’t hardcode the API Key (as indeed it could be recovered by decompiling), but rather download it at runtime.

    This ensures that your APK doesn’t contain your API Key.
    However, a motivated attacker could MITM your application to listen to the network requests and get your key. To avoid that, have a look at protection against MITM like certificate pinning!

  • Use Secured API key: to limit what a bad actor could do with the key, generate a Secured API Key with limited powers. You can restrict how long it can be used, by which user, from what IPs, on which index, which parameters can be used, etc: