Store client secret securely

android security encryption oauth secret-key
10,454

Solution 1

This article suggests these options, from less to more secure:

  1. Store in cleartext

  2. Store encrypted using a symmetric key

  3. Using the Android Keystore

  4. Store encrypted using asymmetric keys

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough

Solution 2

Maybe the best option is to use NDK because it can not be decompiled, like Godfrey Nolan points here

Here is a resource I found useful that helped me to implement it link to the resource

Cheers

Solution 3

As you said, whatever you do, how much you try to hide your key, you can not hide it 100%. But, if you want to make reverse engineer's work harder;

Firstly obfuscate your client (I guess you already do).

Secondly, do not put your key into the client hard-coded. Receive the key after login or user opened the application. And deliver secret key to the client over SSL. Store the secret as byte array and do not save it into the client. Just store in the memory.

These steps do not guarantee the safety of the secret key, but makes reverse engineer's job really hard.

Share:
10,454
pomber
Author by

pomber

pomb.us Twitter: @pomber Medium: pomber Github: pomber

Updated on June 18, 2022

Comments

  • pomber
    pomber almost 2 years

    I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.

    But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.

    So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...

    I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.

    Any idea?

  • Johny19
    Johny19 over 7 years
    That must be the worse advice ever.
  • mijiturka
    mijiturka almost 7 years
    Just because it can't be decompiled doesn't mean it can't be inspected: native code can be disassembled into assembly instructions close to those generated by the compiler. It is more difficult to read than high-level code but it is code nevertheless.
  • Archimedes Trajano
    Archimedes Trajano over 6 years
    Actually this advice is pretty good. Though the secret should be between the app and the primary gateway only not to the other services. However, I don't want to change the answer too much so I'll post a separate one.
  • Robert Brisita
    Robert Brisita over 5 years
    @Johny19 why do you think this is bad?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Android: Store SecretKey in KeyStore
Check if Android filesystem is encrypted
encrypt data in SharedPreferences
Securly Storing OpenID identifiers and OAuth tokens
OAuth secrets in mobile apps
How to securely store access token and secret in Android?
How to Secure Android Shared Preferences?
How to encrypt and decrypt file in Android?
how to securely store encryption keys in android?
Should I obfuscate OAuth consumer secret stored by Android app?