android - Hide sensitive data inside application

Question

I am using retrofit request:

@Headers("Authorization: Basic: UsernamePassword")
@POST("services/2/something/something")
fun createPlan(@Body planData: PlanInfo): Call<Plan>

In my header I requred to send usrname and password and string in Base64 encode. But it not so hard to decode if decomiling the app. So I refered to manual: https://medium.com/novumlogic/hiding-sensitive-data-in-android-app-dbd64e88224f for hiding sensitive data in android app.

But now when I use data from constant like so:

@Headers("Authorization: "+ConstantsEncrypted.usernamePassword())
@POST("services/2/something/something")
fun createPlan(@Body planData: PlanInfo): Call<Plan>

I get an error: An annotation argument must be a compile-time constant.

So how can I hide this sensitive data properly?

question from:https://stackoverflow.com/questions/65902204/hide-sensitive-data-inside-application

Answer 1

You cannot do that using the annotation method. Here's how I have done it in my projects.

class Authenticator : Authenticator {

    override fun authenticate(route: Route?, response: Response): Request? {

        return response.request().newBuilder()
            .header("Authorization", ConstantsEncrypted.usernamePassword()).build()
    }

}

And don't forget to add it to your OkHttpClient.Builder() instance using authenticator(Authenticator()) something like below:

OkHttpClient.Builder().apply {
    writeTimeout(120, TimeUnit.SECONDS)
    readTimeout(120, TimeUnit.SECONDS)
    connectTimeout(120, TimeUnit.SECONDS)
    callTimeout(120, TimeUnit.SECONDS)
    // your code
    // this is where you add your authenticator
    authenticator(Authenticator())
    // more code 
}.build()

The Authenticator is from package okhttp3. You can find more info on class here.