diff --git a/nix/scripts/build.sh b/nix/scripts/build.sh
index 16777841c0..57e8d8d4e2 100755
--- a/nix/scripts/build.sh
+++ b/nix/scripts/build.sh
@@ -49,19 +49,12 @@ nixOpts=(
   "--fallback"
   "--no-out-link"
   "--show-trace"
-  "--attr ${targetAttr}"
-  "${@}"
+  "--attr" "${targetAttr}"
 )
 
-# This variable allows specifying which env vars to keep for Nix pure shell.
-# The separator is a colon
-if [[ -n "${_NIX_KEEP}" ]]; then
-  nixOpts+=("--keep ${_NIX_KEEP//,/ --keep }")
-fi
-
 # Run the actual build
-echo "Running: nix-build ${nixOpts[@]} default.nix"
-nixResultPath=$(nix-build ${nixOpts[@]} default.nix)
+echo "Running: nix-build "${nixOpts[@]}" "${@}" default.nix"
+nixResultPath=$(nix-build "${nixOpts[@]}" "${@}" default.nix)
 
 echo "Extracting result: ${nixResultPath}"
 extractResults "${nixResultPath}"
diff --git a/nix/scripts/shell.sh b/nix/scripts/shell.sh
index a62fbdddee..20dc15712c 100755
--- a/nix/scripts/shell.sh
+++ b/nix/scripts/shell.sh
@@ -18,12 +18,12 @@ source "${GIT_ROOT}/nix/scripts/source.sh"
 export TERM=xterm # fix for colors
 shift # we remove the first -c from arguments
 
-shellArgs=(
+nixArgs=(
   "--show-trace"
 )
 
 if [[ -n "${TARGET}" ]]; then
-    shellArgs+=("--argstr target ${TARGET}")
+    nixArgs+=("--argstr target ${TARGET}")
 else
     echo -e "${YLW}Env is missing TARGET, assuming default target.${RST} See nix/README.md for more details." 1>&2
 fi
@@ -32,7 +32,7 @@ if [[ "$TARGET" =~ (linux|windows|darwin|macos) ]]; then
   # This is a dirty workaround because 'yarn install' is an impure operation,
   # so we need to call it from an impure shell.
   # Hopefully we'll be able to fix this later on with something like yarn2nix
-  nix-shell ${shellArgs[@]} --run "scripts/prepare-for-desktop-platform.sh" || exit
+  nix-shell ${nixArgs[@]} --run "scripts/prepare-for-desktop-platform.sh" || exit
 fi
 
 config=''
@@ -45,13 +45,13 @@ fi
 config+="status-im.build-type=\"${BUILD_TYPE}\";"
 
 if [ -n "$config" ]; then
-  shellArgs+=("--arg config {$config}")
+  nixArgs+=("--arg config {$config}")
 fi
 
 # if _NIX_ATTR is specified we shouldn't use shell.nix, the path will be different
 entryPoint="shell.nix"
 if [ -n "${_NIX_ATTR}" ]; then
-  shellArgs+=("--attr ${_NIX_ATTR}")
+  nixArgs+=("--attr ${_NIX_ATTR}")
   entryPoint="default.nix"
 fi
 
@@ -59,18 +59,18 @@ fi
 # It is just a special string, not a variable, and a marker to not use `--run`.
 if [[ $@ == "ENTER_NIX_SHELL" ]]; then
   echo -e "${GRN}Configuring ${_NIX_ATTR:-default} Nix shell for target '${TARGET:-default}'...${RST}" 1>&2
-  exec nix-shell ${shellArgs[@]} ${entryPoint}
+  exec nix-shell ${nixArgs[@]} ${entryPoint}
 else
   # Not all builds are ready to be run in a pure environment
   if [[ -n "${_NIX_PURE}" ]]; then
-    shellArgs+=("--pure")
+    nixArgs+=("--pure")
     pureDesc='pure '
   fi
   # This variable allows specifying which env vars to keep for Nix pure shell
   # The separator is a colon
   if [[ -n "${_NIX_KEEP}" ]]; then
-    shellArgs+=("--keep ${_NIX_KEEP//,/ --keep }")
+    nixArgs+=("--keep ${_NIX_KEEP//,/ --keep }")
   fi
   echo -e "${GRN}Configuring ${pureDesc}${_NIX_ATTR:-default} Nix shell for target '${TARGET}'...${RST}" 1>&2
-  exec nix-shell ${shellArgs[@]} --run "$@" ${entryPoint}
+  exec nix-shell ${nixArgs[@]} --run "$@" ${entryPoint}
 fi
diff --git a/scripts/generate-keystore.sh b/scripts/generate-keystore.sh
index 775d80e3d7..a399eabc4f 100755
--- a/scripts/generate-keystore.sh
+++ b/scripts/generate-keystore.sh
@@ -9,19 +9,25 @@ function property() {
     grep "${2}" "${1}" | cut -d'=' -f2
 }
 
-function property_gradle() {
+function gradle_property() {
     property ${GIT_ROOT}/android/gradle.properties ${1}
 }
 
-KEYSTORE_PASSWORD=$(property_gradle 'KEYSTORE_PASSWORD')
-KEYSTORE_ALIAS=$(property_gradle 'KEYSTORE_ALIAS')
-KEYSTORE_KEY_PASSWORD=$(property_gradle 'KEYSTORE_KEY_PASSWORD')
+function env_var_or_gradle_prop() {
+    VAR_NAME="${1}"
+    if [[ -n "${!VAR_NAME}" ]]; then
+        echo "${!VAR_NAME}"
+    else
+        gradle_property "${VAR_NAME}"
+    fi
+}
 
-# Allow Makefile modify Keystore path if necessary
-if [[ -z ${KEYSTORE_PATH} ]]; then
-    KEYSTORE_PATH=$(property_gradle 'KEYSTORE_FILE')
-fi
-# Replace ~ with proper absolute path
+KEYSTORE_PASSWORD=$(env_var_or_gradle_prop 'KEYSTORE_PASSWORD')
+KEYSTORE_ALIAS=$(env_var_or_gradle_prop 'KEYSTORE_ALIAS')
+KEYSTORE_KEY_PASSWORD=$(env_var_or_gradle_prop 'KEYSTORE_KEY_PASSWORD')
+KEYSTORE_PATH=$(env_var_or_gradle_prop 'KEYSTORE_PATH')
+
+# Use absolute path for Keystore
 KEYSTORE_PATH=${KEYSTORE_PATH/#\~/$HOME}
 
 if [[ -e "${KEYSTORE_PATH}" ]]; then
@@ -30,7 +36,7 @@ if [[ -e "${KEYSTORE_PATH}" ]]; then
     exit 0
 fi
 
-KEYSTORE_DIR=$(dirname "${S/TATUS_RELEASE_STORE_FILE}")
+KEYSTORE_DIR=$(dirname "${KEYSTORE_PATH}")
 [[ -d $KEYSTORE_DIR ]] || mkdir -p $KEYSTORE_DIR
 
 echo -e "${GRN}Generating keystore...${RST}" > /dev/stderr
diff --git a/scripts/release-android.sh b/scripts/release-android.sh
index d26dca5dd8..bac4f7c54a 100755
--- a/scripts/release-android.sh
+++ b/scripts/release-android.sh
@@ -16,6 +16,13 @@ function must_get_env() {
   exit 1
 }
 
+function append_env_export() {
+  ENV_VAR_NAME=${1}
+  if [[ -n "${!ENV_VAR_NAME}" ]]; then
+    echo "export ${ENV_VAR_NAME}=\"${!ENV_VAR_NAME}\";" >> "${SECRETS_FILE_PATH}"
+  fi
+}
+
 config=''
 if [ -n "${STATUS_GO_SRC_OVERRIDE}" ]; then
   config+="status-im.status-go.src-override=\"${STATUS_GO_SRC_OVERRIDE}\";"
@@ -26,9 +33,17 @@ fi
 config+="status-im.build-type=\"$(must_get_env BUILD_TYPE)\";"
 config+="status-im.status-react.build-number=\"$(must_get_env BUILD_NUMBER)\";"
 config+="status-im.status-react.keystore-file=\"$(must_get_env KEYSTORE_PATH)\";"
-nixOpts=(
-  "--arg config {${config}}"
-  "--arg env {BUILD_ENV=\"${BUILD_ENV}\";ANDROID_ABI_SPLIT=\"${ANDROID_ABI_SPLIT}\";ANDROID_ABI_INCLUDE=\"${ANDROID_ABI_INCLUDE}\";}"
+nixOpts=()
+
+# Secrets like this can't be passed via args or they end up in derivation
+SECRETS_FILE_PATH=$(mktemp)
+chmod 644 ${SECRETS_FILE_PATH}
+trap "rm -f ${SECRETS_FILE_PATH}" EXIT
+append_env_export 'KEYSTORE_PASSWORD'
+append_env_export 'KEYSTORE_ALIAS'
+append_env_export 'KEYSTORE_KEY_PASSWORD'
+nixOpts+=(
+  "--argstr" "secrets-file" "${SECRETS_FILE_PATH}"
 )
 
 if [[ "$OS" =~ Darwin ]]; then
@@ -37,13 +52,19 @@ if [[ "$OS" =~ Darwin ]]; then
   # we start an ad-hoc nix-shell that imports the packages from nix/nixpkgs-bootstrap.
   WATCHMAN_SOCKFILE=$(watchman get-sockname --no-pretty | jq -r .sockname)
   nixOpts+=(
-    "--argstr watchmanSockPath ${WATCHMAN_SOCKFILE}"
-    "--option extra-sandbox-paths ${KEYSTORE_PATH};${WATCHMAN_SOCKFILE}"
+    " --argstr" "watchmanSockPath" "${WATCHMAN_SOCKFILE}"
+    " --option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH} ${WATCHMAN_SOCKFILE}"
   )
 else
+  echo wtf
   nixOpts+=(
-    "--option extra-sandbox-paths ${KEYSTORE_PATH}"
+    "--option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH}"
   )
 fi
 
+nixOpts+=(
+  "--arg" "config" "{${config}}"
+  "--arg" "env" "{BUILD_ENV=\"${BUILD_ENV}\";ANDROID_ABI_SPLIT=\"${ANDROID_ABI_SPLIT}\";ANDROID_ABI_INCLUDE=\"${ANDROID_ABI_INCLUDE}\";}"
+)
+
 ${GIT_ROOT}/nix/scripts/build.sh targets.mobile.android.release "${nixOpts[@]}"