This question is locked. New answers and comments are not allowed.
hi,
is there any suggested approach to handle sensitive data (like third-party api keys) in Cordova apps?
imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!
is there any suggested approach to handle sensitive data (like third-party api keys) in Cordova apps?
imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!