VietMX Staff asked 3 years ago
Problem
Assuming I have something similar to this, how can I protect the secret key:
public class DropboxService {
private final static String APP_KEY = "jk433g34hg3";
private final static String APP_SECRET = "987dwdqwdqw90";
private final static AccessType ACCESS_TYPE = AccessType.DROPBOX;
// SOME MORE CODE HERE
}What is in your opinion the best and most secure way to store the private key? Obfuscation, encryption, what do you think?
If you want to protect your secret, not having it in your app in the first place is a pretty good way to go. Few ideas, in my opinion only first one gives some guarantee:
- Create server-side API for all 3-rd party requests. When your client wants to make an API call, it asks the app auth service to authenticate it (using strong remote attestation techniques), and it receives a time limited (usually JWT) token signed by the secret.The token is sent with each API call where the endpoint can verify its signature before acting on the request.
- Keep your secrets on some server on internet, and when needed just grab them and use. If user is about to use dropbox then nothing stops you from making request to your site and get your secret key.
- Put your secrets in jni code, add some variable code to make your libraries bigger and more difficult to decompile. You might also split key string in few parts and keep them in various places.
- Use obfuscator, also put in code hashed secret and later on unhash it when needed to use.
- ut your secret key as last pixels of one of your image in assets. Then when needed read it in your code. Obfuscating your code should help hide code that will read it.
