Fabric for Open Source Android

So you’re thinking of working on an Android application that will be open source or you join a codebase that’s open source. There are many things to keep in mind when you’re working on an open source project. Here at Kickstarter we don’t have that many external dependencies in our Android application, but for the ones we have we need to keep our credentials secret from the public.

We recently added Crashlytics, a kit available through Fabric, to our app so we can receive better crash reporting and track real-time analytics. The process for adding Crashlytics to your Android application is very straight forward but in our case it required a couple extra steps.

Integrating Fabric

In order to integrate Fabric into our Android application you will need to add the proper gradle dependencies. After you add the dependencies, there are two ways to add the apiKey so that the SDK can read it.

Method one

You can add the key to your Android Manifest which looks like this:

<application android:label="@string/app_name">
    <activity android:name="MyActivity"
        android:label="@string/app_name">
    </activity>

    <meta-data android:name="com.crashlytics.ApiKey" 
               android:value="YOUR_API_KEY"/>
</application>

Method two

Fabric creates a fabric.properties when the app is done compiling. In advance of that we can create our own fabric.properties file in the app directory of the project and store our apiKey and apiSecret there like this:

apiKey=your_fabric_api_key
apiSecret=your_fabric_api_secret

Once you add all the necessary Fabric code to your application class the app should build successfully and Crashlytics should be enabled. Everything works so we should be good, right? WRONG!

Just because we’re open source doesn’t mean our credentials should be, too! We should focus on making sure the app successfully builds when people want to contribute to it while hiding our credentials.

Working with secrets

In our project we need to create a fabric.properties.example file. Our Ruby script will copy the mock apiKey value into this file from the fabric.properties file that we’re going to generate with our gradle script.

# Copy crashlytics over. Fallback to examples if they don't exist
 cp secrets/android/fabric.properties app/fabric.properties || cp config/fabric.properties.example app/fabric.properties

Since our open source contributors do not have access to our secret repo we will default them to the example file and copy this value below.

apiKey=0

Now the Fabric SDK will read this value and compile so that they can build the app without this dreadful error:

ERROR - Crashlytics Developer Tools error.
java.lang.IllegalArgumentException: Crashlytics found an invalid API key: null.

Lastly we need to add this script to our gradle file to generate this fabric.properties if it doesn’t exist.

afterEvaluate {
    buildFabricPropertiesIfNeeded()
}

/**
 *
 * build fabric properties file, if missing
 */
def buildFabricPropertiesIfNeeded() {
    def propertiesFile = file("fabric.properties")
    if (!propertiesFile.exists()) {
        def commentMessage = "This is autogenerated crashlytics property from system environment to prevent key to be committed to source control."
        ant.propertyfile(file: "fabric.properties", comment: commentMessage) {
            entry(key: "apiSecret", value: System.getenv('apiSecret'))
            entry(key: "apiKey", value: System.getenv('apiKey'))
        }
    }
}

That’s it! Now when open source contributors clone our project and build it they will be able to run it successfully without issue and our Fabric credentials aren’t exposed to the world so that people can create thousands of fake crashes 🙃.