Hiding Android secrets in Github Actions

Photo by Gabriel Wasylko on Unsplash

I always wanted to look into how to make an open source Android project while hiding all the secrets from the source. And with the Burma election approaching and mVoter 2020 in development(Disclaimer : We’re unsure if the app will be released as of this moment), we finally got a chance to try this out. We decided that we are going to use Github as our repository since it’s now free for teams. Our requirements is simple; the code will be open source without all the secrets in it. So, how do we do it?

Properties

First of all, we have to keep our keystore configurations safe. We have a signingConfig setup in our build config but these credentials need to be hidden and never tracked in git.

The first thought that came into my mind was to put them in local.properties which is basically a properties file that should never be tracked and stay only on your local machine. We can quickly add these in properties as follows

In our app gradle file, we can pull these back into a property hash map

What we have to do next is to make sure our CI/CD (in this case Github runner) knows these secrets as well. We can’t track this properties file in our git, we have to find another way to keep it hidden. Turns out Github allows you to upload Secrets under settings. All we need to do is copy these properties into our repository’s secrets.

Creating and storing encrypted secrets
Encrypted secrets allow you to store sensitive information, such as access tokens, in your repository. GitHub Actions…

Workflow setup

Afterwards, we can reference these back in Github Action workflows.

In our current state, we have these secret values in our runner, but our approach parses the contents of local.properties, which is a file, and not a string value. Well, we can reconstruct this file easily through the use of echo command. Basically, what we are doing is printing out the properties and then appending the print output into the file. We can check the content of file with cat command afterwards to confirm it’s indeed in the structure we want. Don’t worry, Github will automatically hide these secrets for you, so nobody can see those secret key in the output log.

Key File

Wait a minute, we’re missing something. We have properties values in the property file but what about the keystore file itself? How about uploading the whole keystore file onto there, clearly Github doesn’t allow you to upload file as secrets. We started using Google-fu and ended up on this article.

Where to Store Android KeyStore File in CI/CD Cycle
Where to Store Android KeyStore File in CI/CD Cycle? How we can secure keystore file and credentials? What is Google…

Since we doesn’t have file servers and want a very simple way, we went with Approach #1, where we encode the file in base64 and upload this whole base64 hash onto Github secrets. Let’s name it RELEASE_KEYSTORE_BASE64. Afterwards, modifying the approach as echo above, we first decode the base 64 hash secrets and then we write that into the path specified.- run: touch $RELEASE_KEYSTORE_PATH
- run: echo $RELEASE_KEYSTORE_BASE64 | base64 --decode > $RELEASE_KEYSTORE_PATH

Then we got the same keystore file that was on our local machine onto our Github Actions Runner! 👏

Sharing the properties

We can share this config file through our private channels and write a short read me on how to set it up. If we need to integrate Firebase or Sentry along the line, we can use the same approach and parse it from local properties instead of hard coding our code and risk being tracked in git. Of course, this isn’t the most secured way, as the article stated above, you probably should use Google Play App Signing, which we plan to migrate to as well, but hey, this was a fun little experiment.


If you enjoy this article, follow our podcast for more contents. Me and a buddy of mine, Lin Min Phyo, are running the first ever Burmese Tech Podcast, named “Techshaw Cast”, where we talk about tech scenes in Burma, in our native Burmese language. If you haven’t already, gave us a subscribe! 😄

Techshaw
Take a ride through a Burmese tech scene made by Burmese, for Burmese. The ones who will be driving the Trishaws are…