I have developed an android app that directly interacts with the MongoDB for insertion and fetching the data.
I have credentials stored inside a config file of android app that I read inside the app.
mongoDBConnection:
credentials:
username: "test"
password: "test"
database: "admin"
connectionString: "mongodb://localhost:27017"
The app works as expected when installed on a phone, the worry that I have is if I ship the app can anyone decompile the app and retrieve the credentials back?
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
I wanted to get inputs on before implementing the backend on whether a backend is required or is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
if I ship the app can anyone decompile the app and retrieve the credentials back?
Yes.
is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
No, this isn't possible. You can obfuscate them to make it harder, but it's impossible to prevent a sufficiently skilled/determined attacker from retrieving them if the app has them.
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
This is the only way to do this, and the correct solution.