Learn More
Resend Email
3
Viewholder
7y

Is there an acceptable way to deal with API secrets in an Android app that can cure the anxiety that is slowly taking over me during the past few hours that I am researching about it? Thnx.

p.s. I am not sure how people that work in security can go on with their lives and not have suicidal tendencies

rant

nihilism

android

secrets

security
Favorite
Ranter
Comments
  • 0
    7y
    put the APIs on a Server...
  • 1
    7y
    Sorry, i was in rush...
    The only secure way is to store the secrets on a server and call the APIs from there and host your own API just for the App
  • 0
    7y
    @Noren
    You haven't solved anything, you've just moved the problem.

    Now you need credentials to access the api that hosts the api credentials

    Where are you going to store those?
  • 0
    7y
    .
  • 0
    7y
    @D--M
    Thats not quite true. Just the move to the server allows the app to provide unlimited access to the APIs without publish the API secrets...
    Unfortunately everyone can access your API, but you can always block them per Firewall...
    Of course i recommend you a better authentication system for your own API. Let the server generate access tokens for each App installation, so you are able to restrict the access to some users if they abuse the system...
    In case someone generates thousend access tokens you can block his ip or throttle the generator
  • 0
    7y
    @Noren
    I think the problems just moved again.

    At the end of the day, your allowing api keys to be downloaded via an API.

    Theres really no way around it.
  • 0
    7y
    @D--M
    I think you misunderstood something... you never allow to download any API Key or Secret...
    Here an Example:
    An App which wants Addresses, A Public Server whith an API and your Server.
    App --getAddresses--> Your Server
    Your Server --getAddresses(with Appsecret)--> Public Server
    Your Server <--Data-- Public Server
    App <--Data-- Your Server
  • 0
    7y
    @Noren
    What.

    The OP is asking for api keys in android apps,

    I assumed he was talking about google play services and the like which can't be delegated to a server.
  • 0
    7y
    @D--M
    Ah there is the difference...
    If APIs from Android exist which secrets are needed, then you are fucked...
    I dont think that google has something like this, that would be stupid.
  • 0
    7y
    Very informative guys! Thanks! My backend is actually Parse Server that runs on a machine I own ( well.. pay) but still needs an API to access the parse sdk for the db and stuff.. Could I enforce the scheme you discussed on this case?
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment