Store client secret securely

android security encryption oauth secret-key
pomber picture pomber · Feb 19, 2015 · Viewed 8.3k times · Source

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.

But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.

So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...

I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.

Any idea?

Answer

jmm picture jmm · Jul 11, 2015

This article suggests these options, from less to more secure:

  1. Store in cleartext

  2. Store encrypted using a symmetric key

  3. Using the Android Keystore

  4. Store encrypted using asymmetric keys

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough

Related questions

How to encrypt and decrypt file in Android?

I want to encrypt file and store it in SD card. I want to decrypt that encrypted file and store it in SD card again. I have tried to encrypt file by opening it as file stream and encrypt it …

Read More
How to Secure Android Shared Preferences?

The common location where SharedPreferences are stored in Android apps is: /data/data/<package name>/shared_prefs/<filename.xml> User with root privileges can navigate to this location and can change its values.Need of protecting …

Read More
Is there any difference, if I init AES cipher, with and without IvParameterSpec

I was wondering, is there any difference, if I init AES cipher, with and without IvParameterSpec? With IvParameterSpec SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, new IvParameterSpec(…

Read More