"Light" keys protection proposition with Base64 in the jar produced

[androidUserAgent]

What?

On the org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper, there are multiple keys like ANDROID_YOUTUBE_KEY or HARDCODED_YOUTUBE_MUSIC_KEY on the latest commit aka 917554a.

The keys will be on the jar produced and then, directly readable after decompilation of any Android app or any java app using it.

Why?

The goal of this issue is not to hide the keys from the source code, we cannot do it.

👉 The goal is to "hide" it from any "robot" / "scrapper" that may decompile apps and scan for Google's keys.

No solution will be perfect, but at least, with base 64, "robot" will not directly be able to get it.

Proposition?

For every keys on this YoutubeParsingHelper, instead of:

private static final String ANDROID_YOUTUBE_KEY = "AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w";

Do:

// Clear key: "AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w"
private static String ANDROID_YOUTUBE_KEY = decodeBase64(
   "QUl6YVN5QThlaVptTTFGYURWalJ5LWRmMktUeVFfdnpfeVlNMzl3"
);

with decodeBase64 a static method that decode base 64.

---

Thank you for this great library 🙏

[AudricV]

This issue has been closed by merging #1168, as YouTube doesn't use API keys for their internal API for the endpoints we are using, so I removed them.