I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.
I have come up with the following solution:
I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.
Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?
The only way to hide it is to proxy your request through your own server. Netlify Functions are a free way to add some simple backend code to a frontend app. This is this method I used while learning to program in college, where I needed to share my progress with my peer group without disclosing my API keys.
It is often recommended to use serverless functions to hide API keys for client side applications. Then the client can use this serverless function as a proxy to call the API through a new endpoint.
If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API. You should not store them in shared preferences without encrypting this data first because they can be extracted when performing a backup of your data.
The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.
Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.
A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.
That sounds more than adequate to keep something secret; though Triple DES is a little dated.
I would use X rounds of SHA-256 to hash the passphrase, then use that hash as an AES-256 key.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With