Protecting third party API keys/secrets in PhoneGap

Question

I'm currently assessing the pros and cons of going native vs. PhoneGap for an app I have in mind, and thus far, PhoneGap seems to be the ideal option since most of the data processing will be done on the server-side, while the app will merely be a means to get inputs from the user.

But I've been reading a lot about how all the PhoneGap .html and .js files would be easily accessible on a rooted/jailbroken phone. My concern is that my app will be using a couple of third party APIs, particularly Last.fm and Parse. Both these APIs come with an API secret. Would this not cause a security concern? While the maximum damage one could inflict with my Last.fm API secret key would be to exhaust the API limits, with Parse, it could be much more serious, especially if I plan to store user logins, passwords, emails etc. Anyone could simply grab my Parse Application ID and JavaScript Key and start querying away on Parse (and possibly (but not probably) a competitor or a troll (more likely) could push up the requests/second from my Application ID so that I end up with a big, fat US $10,000 bill).

Are there any methods to protect/encrypt/obfuscate these API secret keys while developing apps in PhoneGap? Does this problem go away if you go native?

Answer 1

First of all, I think the security issues you mention are not related to Phonegap only, same problems exist for native apps as well. I admit, it is harder to find these keys in native apps, but it's doable.

On a side note, both Android apk and Apple ipa files are actually zip archives, so you don't need a rooted phone to open up and peek inside. You can already do it for all the apps (not only Phonegap but native ones), open the archive, see the resources. But in native apps, you have a binary executable instead of html/js files. That's why it's not easy to figure out the data (keys), and app logic inside.

One approach is to implement a special scheme that will encrypt your js files during packaging (development), distribute it with the app and decrypt during runtime. It is totally possible (we did it in a project successfully), your Phonegap app becomes as difficult to hack as native apps. Note that I am not saying impossible, because you still have the problem of hiding the decryption key somewhere in your code/resources. Beware though, writing such a framework is not easy and requires some modification to Phonegap source code as well.

I think the safest solution to hide keys for Parse, etc. is to use your own server, implement server to server authentication and just pass a token to your client for client-server communication. In all other cases, you have to send the keys with the app, and however you hide it, there will be some guy who will find a way to unhide it.