Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android credential storage: Where to save private keys?

My application contains secure content that I want to encrypt. I want to store the secret key locally(Mostly because my users do not use any authentication mechanism for login).

Those are the solutions that I found from Android

  • Android Keystore System: it sounds like the perfect solution, it significantly increase the security of locally stored keys, but it only offers encryption protocols for APIS 18+ while my app needs to support API 14.
  • KeyChain API: It mostly help sharing security keys between apps, it also require user involvement in selecting certificate chains.
  • From Android Security and Design, how to save Android public key:

    To keep your public key safe from malicious users and hackers, do not embed it in any code as a literal string. Instead, construct the string at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want to make it easy for a hacker or malicious user to replace the public key with another key.

    While it sounds like a good tip, it doesn't really add much to security.

So what is the best practice of saving private keys without asking for user authentication?

like image 366
Ilya Gazman Avatar asked Oct 08 '15 08:10

Ilya Gazman


People also ask

Where should private keys be stored?

A CA's private key should be stored in hardware-based protection, such as a Hardware Security Module (HSM). This provides tamper-resistant secure storage. A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token.

Where are private keys stored Android?

A public/private key RSA pair is generated, which is stored in the Android device's keystore and protected usually by the device PIN. An AES-based symmetric key is also generated, which is used to encrypt and decrypt the secrets.

What is the best place to store secret API keys Android?

Often your app will have secret credentials or API keys that you need to have in your app to function but you'd rather not have easily extracted from your app. If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API.


1 Answers

Check out these five best practices for safe API key storage and avoid the headaches of an exposed key:

1. Don’t store your API key directly in your code.

Embedding your API key in your source code may seem like a practical idea, but it’s a security risk as your source code can end up on many screens. Instead, store your API key and secret directly in your environment variables. Environment variables are dynamic objects whose values are set outside of the application. This will let you access them easily (by using the os.getenv() method in Python, for example, or using dotenv package in a Node app), and avoid accidentally exposing a key when you push your code.

2. Don’t store your API key on the client-side.

If you are developing a web app, remember to always store your credentials always on the backend side. Fetch the API results from there and then pass them to the frontend. If you’re a mobile developer, it’s doubly important to store your credentials outside your app, as a seasoned user can easily reserve engineer your app and find your credentials. Try to store your API credentials on a separate server that you own and use that same server to fetch the API results before then passing them on to the client.

3. Don’t expose unencrypted credentials on code repositories, even private ones

We all love helping the community and sharing code online, but it’s easy to forget your credentials in the code and leave them exposed to the world. Repositories frequently get cloned and forked into new projects, giving new developers access to their complete history. Any credentials within the repository's history will exist in all new repositories born from that source.
Even private repositories can leave you vulnerable to hacks, so you should consider any API key exposed in any repository, public or private, as compromised. Instead, remove your API key and secret before publishing by using a gitignore file to specify files for Git to ignore or simply remember to hash your credentials before publishing.

4. Consider using an API secret management service

Storing your API credentials as environment variables will save you a lot of pain, but if you are working on a project with a big team you may find that’s it hard to keep everyone in sync. One solution for convenience and peace of mind is to use a secret management service like AWS Secret Manager. This will not only protect your keys but help you retrieve and manage the credentials of your entire team.

5. Generate a new key if you suspect a breach

If you think your API credentials have been compromised, keep calm and simply revoke your key. This can easily be done on the Amadeus for Developers portal by following these steps:

  1. Log in to your account.
  2. Visit your Self-Service Workspace
  3. Select the application in question
  4. Generate a new key by clicking on the refresh button.

Conclusion

There is not a one-size-fits-all solution for secure API key storage – you’ll need to consider a variety of factors like team size or project scope to find the solution that’s right for you. We hope some of the best practices covered in this article will help you secure your credentials and avoid unnecessary hassles and headaches down the road.

like image 144
Amlan Avatar answered Nov 14 '22 23:11

Amlan