diff --git a/automation/taskcluster/upload_apk_nimbledroid.py b/automation/taskcluster/upload_apk_nimbledroid.py
index ac6139518..adea302f5 100644
--- a/automation/taskcluster/upload_apk_nimbledroid.py
+++ b/automation/taskcluster/upload_apk_nimbledroid.py
@@ -38,8 +38,8 @@ token_file = sys.argv[2]
 with open(token_file) as f:
 	key = f.read()
 
-if key.rstrip() == '--':
-	print('Nimbledroid key "--" detected. Not uploading anything to the service.')
+if key.rstrip() == "faketoken":
+	print('Nimbledroid key "faketoken" detected. Not uploading anything to the service.')
 	sys.exit(0)
 
 with open(apk_path) as apk_file:
diff --git a/taskcluster/ci/nimbledroid/kind.yml b/taskcluster/ci/nimbledroid/kind.yml
index bd42a9d0f..845a3b694 100644
--- a/taskcluster/ci/nimbledroid/kind.yml
+++ b/taskcluster/ci/nimbledroid/kind.yml
@@ -25,11 +25,12 @@ job-defaults:
                       key: api_key
                       path: .nimbledroid_token
                 default: []
-        pre-commands:
+        dummy-secrets:
             by-level:
               '3': []
               default:
-                - [echo, '--', '>', .nimbledroid_token]
+                - content: "faketoken"
+                  path: .nimbledroid_token
     run-on-tasks-for: []
     treeherder:
         kind: test
diff --git a/taskcluster/fenix_taskgraph/job.py b/taskcluster/fenix_taskgraph/job.py
index d97396931..1b98d7e8b 100644
--- a/taskcluster/fenix_taskgraph/job.py
+++ b/taskcluster/fenix_taskgraph/job.py
@@ -19,6 +19,12 @@ secret_schema = {
     Optional("json"): bool,
 }
 
+dummy_secret_schema = {
+    Required("content"): text_type,
+    Required("path"): text_type,
+    Optional("json"): bool,
+}
+
 gradlew_schema = Schema({
     Required("using"): "gradlew",
     Optional("pre-gradlew"): [[text_type]],
@@ -28,6 +34,7 @@ gradlew_schema = Schema({
     Required("workdir"): text_type,
     Optional("use-caches"): bool,
     Optional("secrets"): [secret_schema],
+    Optional("dummy-secrets"): [dummy_secret_schema],
 })
 
 run_commands_schema = Schema({
@@ -37,6 +44,7 @@ run_commands_schema = Schema({
     Required("workdir"): text_type,
     Optional("use-caches"): bool,
     Optional("secrets"): [secret_schema],
+    Optional("dummy-secrets"): [dummy_secret_schema],
 })
 
 
@@ -44,9 +52,13 @@ run_commands_schema = Schema({
 def configure_run_commands_schema(config, job, taskdesc):
     run = job["run"]
     pre_commands = run.pop("pre-commands", [])
+    pre_commands += [
+        _generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
+    ]
     pre_commands += [
         _generate_secret_command(secret) for secret in run.get("secrets", [])
     ]
+
     all_commands = pre_commands + run.pop("commands", [])
 
     run["command"] = _convert_commands_to_string(all_commands)
@@ -72,6 +84,9 @@ def configure_gradlew(config, job, taskdesc):
 
 def _extract_gradlew_command(run):
     pre_gradle_commands = run.pop("pre-gradlew", [])
+    pre_gradle_commands += [
+        _generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
+    ]
     pre_gradle_commands += [
         _generate_secret_command(secret) for secret in run.get("secrets", [])
     ]
@@ -96,6 +111,18 @@ def _generate_secret_command(secret):
     return secret_command
 
 
+def _generate_dummy_secret_command(secret):
+    secret_command = [
+        "taskcluster/scripts/write-dummy-secret.py",
+        "-f", secret["path"],
+        "-c", secret["content"],
+    ]
+    if secret.get("json"):
+        secret_command.append("--json")
+
+    return secret_command
+
+
 def _convert_commands_to_string(commands):
     should_artifact_reference = False
     should_task_reference = False
diff --git a/taskcluster/fenix_taskgraph/transforms/build.py b/taskcluster/fenix_taskgraph/transforms/build.py
index a781c3253..c97d64da4 100644
--- a/taskcluster/fenix_taskgraph/transforms/build.py
+++ b/taskcluster/fenix_taskgraph/transforms/build.py
@@ -32,6 +32,7 @@ def add_variant_config(config, tasks):
 def add_shippable_secrets(config, tasks):
     for task in tasks:
         secrets = task["run"].setdefault("secrets", [])
+        dummy_secrets = task["run"].setdefault("dummy-secrets", [])
 
         if task.pop("include-shippable-secrets", False) and config.params["level"] == "3":
             build_type = task["attributes"]["build-type"]
@@ -50,15 +51,16 @@ def add_shippable_secrets(config, tasks):
                 ('mls', '.mls_token'),
             )])
         else:
-            task["run"]["pre-gradlew"] = [[
-                "echo", '"{}"'.format(fake_value), ">", target_file
-            ] for fake_value, target_file in (
-                ("--", ".adjust_token"),
-                ("", ".digital_asset_links_token"),
-                ("-:-", ".leanplum_token"),
-                ("", ".mls_token"),
+            dummy_secrets.extend([{
+                "content": fake_value,
+                "path": target_file,
+            } for fake_value, target_file in (
+                ("faketoken", ".adjust_token"),
+                ("faketoken", ".digital_asset_links_token"),
+                ("fake:token", ".leanplum_token"),  # : is used by leanplum
+                ("faketoken", ".mls_token"),
                 ("https://fake@sentry.prod.mozaws.net/368", ".sentry_token"),
-            )]
+            )])
 
         yield task
 
diff --git a/taskcluster/fenix_taskgraph/transforms/nimbledroid.py b/taskcluster/fenix_taskgraph/transforms/nimbledroid.py
index 65f1d48d7..9b9b1a276 100644
--- a/taskcluster/fenix_taskgraph/transforms/nimbledroid.py
+++ b/taskcluster/fenix_taskgraph/transforms/nimbledroid.py
@@ -18,7 +18,7 @@ transforms = TransformSequence()
 @transforms.add
 def resolve_keys(config, tasks):
     for task in tasks:
-        for key in ("run.secrets", "run.pre-commands"):
+        for key in ("run.secrets", "run.dummy-secrets"):
             resolve_keyed_by(
                 task,
                 key,
diff --git a/taskcluster/scripts/write-dummy-secret.py b/taskcluster/scripts/write-dummy-secret.py
new file mode 100755
index 000000000..48fc41497
--- /dev/null
+++ b/taskcluster/scripts/write-dummy-secret.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from __future__ import absolute_import, print_function, unicode_literals
+
+import argparse
+import errno
+import json
+import os
+
+
+def write_secret_to_file(path, secret, key, json_secret=False):
+    path = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../' + path))
+    try:
+        os.makedirs(os.path.dirname(path))
+    except OSError as error:
+        if error.errno != errno.EEXIST:
+            raise
+    print("Outputting secret to: {}".format(path))
+
+    with open(path, 'w') as f:
+        if json_secret:
+            secret = json.dumps(secret)
+        f.write(secret)
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Store a dummy secret to a file")
+
+    parser.add_argument("-c", dest="content", action="store", help="content of the secret")
+    parser.add_argument("-f", dest="path", action="store", help="file to save secret to")
+    parser.add_argument("--json", dest="json", action="store_true", default=False, help="serializes the secret to JSON format")
+
+    result = parser.parse_args()
+
+    write_secret_to_file(result.path, result.content, result.json)
+
+
+if __name__ == "__main__":
+    main()