Android Security

Rule 1: Never store secrets in source code or BuildConfig

// ❌ Never — committed to git, visible in APK
const val API_KEY = "sk-1234567890abcdef"
buildConfigField("String", "API_KEY", "\"sk-1234567890abcdef\"")

// ✅ Use local.properties (gitignored) + build script injection
// local.properties (never commit this file)
// API_KEY=sk-1234567890abcdef

// build.gradle.kts
val apiKey = gradleLocalProperties(rootDir, providers).getProperty("API_KEY") ?: ""
buildConfigField("String", "API_KEY", "\"$apiKey\"")