Securing API Keys in Android Apps Using the NDK (Best Practices)

Mobile Development

22 September, 2025

Securing API Keys in Android Apps Using NDK
Suryaprakash Narsinghbhai Sharma

Suryaprakash Narsinghbhai Sharma

Sr Developer, Softices

Hardcoding API keys into Java/Kotlin or XML makes them trivially discoverable with simple tools (e.g., strings, apktool, jadx). For production apps, especially those that talk to paid APIs or access sensitive data, leaking keys can mean unexpected costs, account abuse, or data exposure.

If you’re wondering how to secure API key in Android app, one effective strategy is to leverage the Android Native Development Kit (NDK). By moving secrets into native .so libraries written in C/C++, you make extraction more difficult for attackers. While this doesn’t provide perfect protection, it does add an extra layer of security when combined with server-side validation and runtime checks.

Quick Overview of the Approach

  • Store keys in native (C/C++) code compiled to .so files.
  • Expose keys to Kotlin/Java via JNI (Java Native Interface).
  • Make static analysis harder by splitting and obfuscating keys in native code, and by avoiding any plaintext logging.
  • Always treat NDK storage as defense in depth, not the full solution.

This method is widely used by developers searching for android secure API key solutions or guides on how to store API keys securely Android.

Prerequisites

  • Android Studio installed (latest stable)
  • Android SDK + NDK + CMake installed (Go to File > Settings > SDK Manager > SDK Tools → install NDK and CMake)
  • Basic familiarity with C/C++
  • Basic knowledge of Android app development

Step-by-Step Guide: Storing API Keys with Android NDK

Step 1: Enable NDK and CMake in app/build.gradle 

android {
    defaultConfig {
      applicationId "com.example.securekeys"
      minSdkVersion 24
      targetSdkVersion 34
  
      ndk {
        abiFilters "armeabi-v7a", "arm64-v8a", "x86_64" // specify architectures
      }
    }
  
    externalNativeBuild {
      cmake {
        path "src/main/cpp/CMakeLists.txt"
      }
    }
  }

Step 2: Create C++ Source Folder

Create a folder:

app/src/main/cpp/

Inside it, create native-lib.cpp:

#include <jni.h>
  #include <string>
  
  extern "C" JNIEXPORT jstring JNICALL
  Java_com_example_securekeys_NativeKeys_getApiKey
  (JNIEnv* env, jobject /* this */) {
    std::string apiKey = "your-real-api-key"; 
  // replace with your API key
    return env->NewStringUTF(apiKey.c_str());
  }

Security tip: Don’t use a single plaintext string in production. See Security hardening below.

Step 3: Create CMake Build Script

Inside app/src/main/cpp/, create CMakeLists.txt:

cmake_minimum_required(VERSION 3.10.2)
  
  project("securekeys")
  
  add_library(
      native-lib
      SHARED
      native-lib.cpp
  )
  
  find_library(
      log-lib
      log
  )
  
  target_link_libraries(
      native-lib
      ${log-lib}
  )

Step 4: Create a Kotlin Bridge Class

In app/src/main/java/com/example/securekeys/NativeKeys.kt:

package com.example.securekeys
  
  object NativeKeys {
    init {
      System.loadLibrary("native-lib") // must match add_library in CMake
    }
  
    external fun getApiKey(): String
  }

Step 5: Use the Key in Code

val apiKey = NativeKeys.getApiKey()
  Log.d("API_KEY", "Key: $apiKey") // debug only, don’t log in production

Recommended Project Structure

app/
   ├── src/main/
   │  ├── java/com/example/securekeys/NativeKeys.kt
   │  ├── cpp/
   │  │  ├── CMakeLists.txt
   │  │  └── native-lib.cpp
   │  └── res/
   └── build.gradle

Security Hardening: Best Practices for Android API Key Security

To secure API keys in Android apps more effectively, apply these additional techniques. They help make extracting a key from .so files harder:

1. Key Splitting

Split the key into multiple non-obvious parts and join at runtime.

std::string part1 = "abc123";
  std::string part2 = "xyz789";
  std::string apiKey = part1 + part2;

This reduces detection via simple static string search.

2. Dynamic Obfuscation (Base64/XOR)

Store an encoded/encrypted token and decode/transform at runtime:

std::string encoded = "dGVzdEtleQ=="; // base64 of "testKey"
  std::string decoded = base64_decode(encoded); // implement decoder

Or XOR with a runtime-generated mask (avoid hardcoding mask directly).

3. Anti-Debug / Tamper Detection (Runtime Checks)

  • Detect known debuggers or rooting, and fail safely or require re-authentication.
  • Use Build.FINGERPRINT or package checksum validation to detect modified APKs.

4. ProGuard/R8 & Strip symbols

  • Obfuscate Kotlin/Java using R8.
  • Build release .so files with symbol stripping (-s link flag) and use strip tool to remove symbol names.

5. Use Runtime Token Exchange (Recommended)

Instead of shipping the real long-lived key, ship a short-lived token:

  • App authenticates to your backend (with device attestation, OAuth, or other proof).
  • Backend returns a short-lived API token tied to app+user.
  • This token is used for API calls; expiry limits damage if leaked.

This is a highly recommended method if you’re serious about securing API keys using Android NDK together with backend protections.

Backend Controls for Stronger Android API Key Security

To further strengthen android API key security:

  • Server-side validation: Enforce per-client authentication and origin checks on your backend.
  • Restrict API keys: Use API provider features (domain/package + SHA-256 signing keys, IP restrictions).
  • Rotate keys frequently: Maintain a rotation policy and remove unused keys.
  • Monitoring & alerts: Watch for spikes in usage or abnormal access patterns.
  • Use principle of least privilege: Keys should have minimal permissions.

Limitations of NDK in Securing API Keys

  • Native .so files can still be reverse-engineered with tools like Ghidra or IDA.
  • NDK protects against casual attackers, not advanced reverse engineers.
  • The best way how to secure API key in Android is to combine NDK with server-side validation and short-lived tokens.

Example: Securing Google Maps API Key in Android Apps 

val mapsApiKey = NativeKeys.getApiKey()
  mapView.getMapAsync {
    it.setMapStyle(MapStyleOptions.loadRawResourceStyle(this, R.raw.map_style))
    Log.d("Maps", "Using key: $mapsApiKey")
  }

Prefer server-side key usage where possible (e.g., proxy certain requests through your backend).

Final Thoughts on Securing API Keys Using Android NDK

If you’re searching for how to secure API key in Android app, using the NDK is a strong step toward better android API key security. By moving keys into native code, splitting and obfuscating them, and combining with runtime token exchange and backend validation, you make it much harder for attackers to steal secrets.

While no client-side solution is perfect, this layered approach: NDK + obfuscation + backend validation + monitoring is the most practical way to store API keys securely Android and maintain long-term secure API key Android practices.


Django

Previous

Django

Next

How to Scale RoR Applications: Lessons from Shopify and GitHub

scale-ruby-on-rails-shopify-github

Frequently Asked Questions (FAQs)

How to secure API key in Android app with NDK?

Store keys in C/C++ using NDK, access via JNI, and add obfuscation plus backend validation.

Use NDK for storage, split/obfuscate keys, and validate with short-lived tokens on your backend.

No. It raises difficulty but can be reverse-engineered. Combine with server-side checks and restrictions.

Use restricted keys tied to package + SHA, hide them with NDK, and enforce backend checks.

No. You can only make extraction harder. Best practice is NDK + backend-issued short-lived tokens.

Start a Project