Securing Mobile CI/CD: Keystores and Secrets

The Risk Vector

If a hacker gets your signing key, they can publish malware as an update to your app. If they get API keys, they steal your quota/data.

Environment Variables

Never commit .env files. Use the CI provider's "Secrets" vault (GitHub Secrets, Bitrise Secrets). Inject them as ENV vars.

Encoding Keystores

You can't upload binary files to text inputs. Base64 encode your Android Keystore (base64 - i my.keystore). Store the string string in CI secrets. Decode during build.

Fastlane Match

For iOS, use match. It encrypts certs/profiles in a private repo using OpenSSL. The CI only needs the decryption password.

Injecting at Build Time

Use build config fields (Android) or Info.plist pre-processing (iOS) to inject keys from ENV vars into the binary code during compilation.

Obfuscating Keys

Strings in the binary are readable. Use NDK (C++) to hide API keys, or tools like DexGuard. It makes reverse engineering harder (but not impossible).

Rotating Secrets

Have a plan. If a key leaks, you must be able to revoke it and push a new update immediately. Don't hardcode expiration dates.

The Risk Vector

Environment Variables

Encoding Keystores

Fastlane Match

Injecting at Build Time

Obfuscating Keys

Rotating Secrets

Related Articles

Mobile App Security: Essential Best Practices for Developers

CI/CD for Mobile Apps: Automate Your Build and Release Pipeline

Mobile DevOps: Accelerating Delivery and Improving Quality