This question is locked. New answers and comments are not allowed.
hi,
is there any suggested approach to handle sensitive data (like third-party api keys) in Cordova apps?
imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!
is there any suggested approach to handle sensitive data (like third-party api keys) in Cordova apps?
imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!
4 Answers, 1 is accepted
0
Mat-Moo
Top achievements
Rank 1
Rank 1
answered on 05 Feb 2013, 03:12 PM
You could download these and store them in html5 localstorage? http://www.w3schools.com/html/html5_webstorage.asp
0
Ilian
Top achievements
Rank 1
Rank 1
answered on 06 Feb 2013, 05:14 PM
Hello Wee,
Authenticating through OAuth works relatively well for server-to-server authentication, but it is obviously a security problem for mobile and desktop applications. In reality it is not as bad as it sounds, but the problem is how the service you are accessing is using the key and if they intent on banning abused keys. In the case of Twitter the only way to access the Twitter REST API v1.1 is through user authorization.
If you bundle keys with the desktop or mobile app, open source or not, it is possible to access them. Since services like Twitter force us into using OAuth-only API, we have the two options you already found:
The former is more difficult and costly, not necessarily maintainable for small and open source apps. The latter means that the app may and will be blocked, once the spammers steal the keys. Keep in mind that if someone has enough knowledge to debug your program and extract your key, they likely know how to do more than that and you could very well be wasting your time trying to lockdown further.
If you want to read some more about OAuth authentication problems and the Twitter story you can visit this link.
All the best,
Ilian Iliev
the Icenium team
Authenticating through OAuth works relatively well for server-to-server authentication, but it is obviously a security problem for mobile and desktop applications. In reality it is not as bad as it sounds, but the problem is how the service you are accessing is using the key and if they intent on banning abused keys. In the case of Twitter the only way to access the Twitter REST API v1.1 is through user authorization.
If you bundle keys with the desktop or mobile app, open source or not, it is possible to access them. Since services like Twitter force us into using OAuth-only API, we have the two options you already found:
- setup an auth proxy service for your application
- bundle keys with the app
The former is more difficult and costly, not necessarily maintainable for small and open source apps. The latter means that the app may and will be blocked, once the spammers steal the keys. Keep in mind that if someone has enough knowledge to debug your program and extract your key, they likely know how to do more than that and you could very well be wasting your time trying to lockdown further.
If you want to read some more about OAuth authentication problems and the Twitter story you can visit this link.
All the best,
Ilian Iliev
the Icenium team
0
Mark
Top achievements
Rank 1
Rank 1
answered on 29 Mar 2013, 03:35 PM
Does anyone have a solution to this problem? This appears to be a major flaw of Cordova and the solution seems to be to write native apps in iOS or Android so that the code on the mobile device is compiled. Is there any way to integrate compiled code in Cordova? Other ideas?
0
Hello Mark,
I'm afraid that native applications on every platform also have problems with holding sensitive data. It is easier to read the javascript code, but if its harder to compromise an application that does not mean its impossible :).
Lets take iOS for example. You can take a look at this question in stackoverflow.
"Yes, strings and information are easily extractable from compiled applications using the
Share feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Kendo UI Dojo.
I'm afraid that native applications on every platform also have problems with holding sensitive data. It is easier to read the javascript code, but if its harder to compromise an application that does not mean its impossible :).
Lets take iOS for example. You can take a look at this question in stackoverflow.
"Yes, strings and information are easily extractable from compiled applications using the
strings tool (see here), and it's actually even pretty easy to extract class information using class-dump-x (check here).
Just some food for thought."
Android applications can easily be compromised with any Java decompiler.
Ilian Iliev
the Telerik teamShare feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Kendo UI Dojo.