What is the best way to hide Crashlytics key?

deobfuscate firebase crashlytics
firebase crashlytics license
crashlytics not working
crashlytics support
crashlytics breadcrumbs
crashlytics anr
crashlytics console
crashlytics force crash

I put my crashlytics key in xml and I got this error:

Error:Execution failed for task ':app:fabricGenerateResourcesDebug'.

Crashlytics Developer Tools error.

The following is my intended code in AndroidManifest.xml.

    android:value="@string/crashlytics_key" />

What is the best way to hide it?

Place your API key in local.properties.


In your build.gradle, add this Groovy method:

def getLocalProperty(String propertyName) {
    def propsFile = rootProject.file('local.properties')
    if (propsFile.exists()) {
        def props = new Properties()
        props.load(new FileInputStream(propsFile))
        return props[propertyName]
    } else {
        return ""

And then add a manifest placeholder, for example:

android {
    defaultConfig {
        manifestPlaceholders = [crashlytics:getLocalProperty("crashlytics.key")]

In your manifest, you can now access the API key as an injected variable with the following syntax:


You might need to tweak this code to get it to work for your needs, but this should be enough to get you started. And make sure to add local.properties to your .gitignore (if it isn't already!) Hope that helps.

What is the best way to hide Crashlytics key? I put my crashlytics key , Place your API key in local.properties. crashlytics.key=api_key_here. In your build.gradle, add this Groovy method: def getLocalProperty(String propertyName)​  We would like to show you a description here but the site won’t allow us.

There is no need to do it in a such complex way as in accepted answer.

According to the official docs, you can simply remove your API key from Manifest and put to fabric.properties file, where your secret already lies in a next form:


And that is it. Fabric plugin (or Gradle task) will automatically do all the needed work inside the hood.

P.s. Don't forget to keep your fabric.properties file outside of your Version Control System

Customize your Firebase Crashlytics crash reports, Place your API key in local.properties. crashlytics.key=api_key_here. In your build.gradle, add this Groovy method: def getLocalProperty(String propertyName)​  QR Code Private Keys. Another impressive way of storing your private keys is in an art piece. CryptoArt.com makes art masterpieces that have QR code of Bitcoin public address on the front and private keys on the back under a secure sticker. See this video to understand more about it.

Well placing both keys to fabric.properties didn't work for me and fabric could not found api key there and wanted, me to put it in Manifest. Then I discovered this solution:

Place io.fabric.ApiKey=676897890789790... to your local.properties

To AndroidManifest add this:

            android:value="@string/fabric_api_key" />

Then in app module build.gradle

Properties properties = new Properties()
def fabricApiKey = properties.getProperty('io.fabric.ApiKey')
if (fabricApiKey == null) fabricApiKey = "Place io.fabric.ApiKey to local.properties"

then in defaultConfig closure:

defaultConfig {
         resValue "string", "fabric_api_key", fabricApiKey

This way you can hide also google maps key from source control for open source projects and still keep application buildable for continuous integration or people wanting to try it out...

How to hide private API keys in an open source project · [indistinct , Each key/value pair can be up to 1 kB in size. Use the setCustomValue method to set key/value pairs. For example: Swift  Firebase Crashlytics is a crash reporter that helps you track, prioritize, and fix stability issues that erode app quality, in realtime. Spend less time triaging and troubleshooting crashes and more time building app features that delight users.

Bulletproof Android: Practical Advice for Building Secure Apps, How to hide private API keys in an open source project GitHub, I ran across an interesting problem when I decided to integrate Crashlytics. One of the most fool-proof ways to hide your keys is to give a copy to a trusted neighbor, family member, or friend who lives nearby. If that isn't possible, you can hide your spare key on the collar of your backyard dog or underneath a planter or door mat—but on a neighbor's front porch, not yours.

Firebase Crashlytics, builds and you, See Regulatory compliance Component vulnerability, OWASP Top 10 risks, 147 27 Crashlytics app, installing, 157–159 credentials.xml file, 52 Critercism app, the encryption key, 119 hiding encryption keys by using devicespecific keys,  You can replicate USB key using any memory dumping. Case you go ahead and try to check users online users by given key id, then you may patch also network. There's no true way to protect code. The best way to do it, is to dissapoint people trying to crack it, and making a renewal of the system in a regular basis.

Keep your keys outside Manifest and Gradle - Elye, Let's explore how to do this on iOS and Android. You can turn off automatic collection with a new key to your Info.plist file: To disable Crashlytics in debug builds, you can make use of the BuildConfig. Firebase gives you the tools and infrastructure to build better apps and grow successful businesses. Place a spare key in a small ziplock bag (to protect from the elements and corrosion) and hide it under a larger rock or pavers stone, step stone, etc. somewhere in the back yard. If you have an out-building or shed, there will be a multitude of hiding places inside.

  • Why are you trying to hide keys from a repository? If you can't trust the developers who have access to your code, you're going to have a lot bigger problems than just them having the key. And if you are worried about a disgruntled employee in the future, you can just refresh the API key as needed.
  • it's a public repo
  • Ah, makes sense. Why not just have a dummy key on the repo then (and clarify it in the readme)?
  • but, that means every time I want to commit, I need to remember myself to replace my api key with the dummy one. If I put it in another file, I can just put that file in .gitignore and I can continue developing as usual.
  • This should work then: developer.android.com/studio/build/… -- You can pull the variable from a file like local.properies (with Groovy) that isn't commited and then inject it into the manifest