Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practices for API Key and Secret in bundled in App

I'm developing an app that will use text messages to verify a user's telephone number, the usual "enter code" routine.

After reading a little bit it seems like a bad idea to store the private keys for whatever 3rd party I'll use in the app (twilio, nexmo, etc). Somebody could reverse engineer these from my binary and use them in their app.

However, having these on the server doesn't help either, somebody could just reverse engineer my server's endpoint that I use to send text messages and use that instead.

E.g. I could reverse engineer WhatsApp and get the private keys or API endpoints that they use for telephone number verification and just use that in my app, saving me thousand of dollars.

Any ideas on how to protect myself against such an attack?

like image 904
Danish Khan Avatar asked Apr 17 '16 05:04

Danish Khan


People also ask

Where should I store my API key and secret?

Don't store your API key directly in your code. Instead, store your API key and secret directly in your environment variables. Environment variables are dynamic objects whose values are set outside of the application. This will let you access them easily (by using the os.

Should API keys be secret?

API keys include a key ID that identifies the client responsible for the API service request. This key ID is not a secret, and must be included in each request. API keys can also include a confidential secret key used for authentication, which should only be known to the client and to the API service.

Which is the most secure way to use an API key?

So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.

How should you hide your API keys?

The only way to hide it is to proxy your request through your own server. Netlify Functions are a free way to add some simple backend code to a frontend app. This is this method I used while learning to program in college, where I needed to share my progress with my peer group without disclosing my API keys.


1 Answers

Hiding API Keys on the server

However, having these on the server doesn't help either, somebody could just reverse engineer my server's endpoint that I use to send text messages and use that instead.

Yes it does help a lot.

If somebody gets access to the keys to your web service, they can only do, what your service allows them to do. This is a very good idea to have a web service that encapsulates all the 3d party keys and API - it's way more secure.

Nobody will ever get access to your sensitive keys, that'll allow them to do everything.

For example the 3rd party API allows deleting - your server wrapper API will not allow it.

Moreover, you can add any extra logic or alerts for suspicious behavior.

Hiding API Keys in the app

If somebody sets their mind to it, there's no way you can prevent getting your keys reverse engineered from your app. You can only make that harder. Computer security should never be about "how hard/complicated it is to do", but in this case we have no choice.

Ok, so you have to hardcode the API keys into your source files. It can be easily reverse-engineered.

You can obfuscate your keys, so that they can't be read directly. The result will be that they'll be scattered in a compiled file, rather than comfortably being placed in one place.

On iOS you can use something like this.

On Android you can use DexGuard, or any other way to obfuscate a string.

Encrypting the keys

Another layer of making it hard for hackers is to encrypt the keys.

Here's an example for iOS.

You can do the same for Android.

Perfect Scenario

Ok, so let's say you have a 3rd party API for video management.

The hacker wants to delete all videos on the server, because the 3rd API allows that.

First he has to glue up all the scattered strings in the file. If he manages to do that, he has to find a way to decrypt that.

Even if he manages to decrypt that, that'll give him the API keys to your server and your server and your server only allows to upload videos, not delete them.

like image 200
michal.ciurus Avatar answered Sep 17 '22 20:09

michal.ciurus