Where should I store my tokens in Android?

Question

在我的应用程序中，我将令牌存储在string.xml中 ，以访问Web服务，但是现在我想在没有令牌值的情况下提交它（Github）。

Answer 1

You seem to be focused on the version control issue. If having that token in res/values/strings.xml is working for you, then you can put the token value in gradle.properties (eg, as WEB_SERVICE_TOKEN ), and the generate the corresponding string resource from Gradle using resValue :

android {
  defaultConfig {
    resValue "string", "whatever_your_string_resource_is_called", WEB_SERVICE_TOKEN
  }
}

This will create a string resource named whatever_your_string_resource_is_called , containing the value you gave WEB_SERVICE_TOKEN in gradle.properties . Then, exclude gradle.properties from your version control system (eg, via .gitignore ).

The bigger issue is: should your Web service token actually be in your APK? After all, you are leaking that token to anyone who wants to get it . Depending upon the nature of your app and the nature of this Web service that you are trying to access, you might try alternatives to using a string resource, such as:

• Not using the Web service from the app, but rather from your own Web service (eg, one that the user has to log into)

• Using the Web service from the app, but securely downloading the token and storing it on internal storage (so only those who root their devices can get the token)