Any suggest for hiding APIKEY on android kotlin?

Firebase App Check.

anything that ships with your app is essentially public. you can obfuscate it + add layers of difficulty, but you can't 100% "hide" it

The best alternative I have seen is the above mentioned service. In fact, that solution doesn't ship the secrets with the App but you will get them at runtime from an endpoint that only accepts requests coming from your App. But yeah either Google Play Services and Apple Device Check integration is needed.

You can do the check yourself though by verifying the APK signed hash at runtime and use it as private client key which would solve the server trusting the client.

Why hide an api key? It's not a security feature

One scenario I can think of: Assume you want to communicate only with trusted client devices, e.g. reduce bots scrapping your API. How do you trust your client? Usually you can solve that by having a user login. But what about use cases where you want the user to login later on your business flow?

you can't ever fully trust the client

Via wireshark, the api key still be stolen 🤣

No it isn't, unless your phone is rooted

Actually I have stolen a key from application apply the mechanisms above 🤣

Wireshark would break the ssl trust chain. The handshake would fail assuming your app has been configured using network connection configuration to only trust system certificates.

Get the runtime key not too easy but there is a tools can get it by one command

No it isn't, unless your phone is rooted

incorrect

If rooted with Magisk, one can install custom CA certs as System Certs, therefore one can use Charles/MITMProxy/Wireshark with ease… A “slightly better” approach is to use SSL Pinning and configure your app to only trust your own cert when it comes to calling endpoints you control. Though, this can still be bypassed using Frida. Long story short, you can’t really ever fully trust your clients, unless you also fully control the execution environment of them, which in the case of an app, it is pretty hard to do.

But can't you detect the phone is rooted with Magisk and just close the App?

the "getting around system cert thing" does not require root either.

No. Magisk is able to hide itself pretty well, requiring Hardware Attestation from the Play Integrity APIs are pretty much the only way to verify that you’re running on unmodified devices, but those are not supposed to be used as “root checks” (doesn’t have to be magisk to do these things either). Also, plenty of people that run rooted do so for the modifications that it allows (I personally hide the nav gesture pill), so simply preventing people from using your app because they are rooted but don’t have malicious intents is quite annoying. You are supposed to use the integrity APIs and user behavior to create a threat profile which you then use to determine how to handle requests from that particular user/device. If your application/service/whatever is design correctly, it shouldn’t truly matter if your app runs on a rooted device or not because you use many layers of appropriate risk mitigation for how secure you need it to be.

Well said. Just because someone's phone is rooted doesn't mean they are malicious

I got you, so what about the Google Services solution, I believe is the most decent one in the market.

TIL 😳 thanks for sharing that info.