Menu
When adding twitter authentication to my android app, going to Twitter dev, I was flabbergasted at finding that I have to initialize Twitter's Fabric like this:
import io.fabric.sdk.android.Fabric;
import com.twitter.sdk.android.Twitter;
import com.twitter.sdk.android.core.TwitterAuthConfig;
...
@Override
public void onCreate() {
super.onCreate();
TwitterAuthConfig authConfig =
new TwitterAuthConfig("consumerKey",
"consumerSecret");
Fabric.with(this, new Twitter(authConfig));
}
They are officialy recommending that I put both API Key and API Secret in my app as plaintext. Even in this official sample, the keys are stored in BuildConfig.
I am using Proguard but even then, I cannot guarantee that a determined hacker wouldn't be able to exploit my API Secret. Do established apps like Quora also expose these keys?
Can somebody post an example for overcoming this vulnerability, or give a convincing argument as to why Twitter is doing this?
In contrast, Google and Facebook only required me to add an AppID, and I had to hash my signing certificates and link the hashes to respective apps. This is levels of magnitude more secure than above.
550
You can use any Time-based One Time Password (TOTP) authentication app like Google Authenticator, Authy, Duo Mobile, 1Password, etc.) After you scan the QR code, tap Next. Enter the code generated by your authentication app, then tap Verify. You'll see a confirmation screen.
Twitter sends you a code via SMS. Enter it in the space provided on the next screen. At this point, you will be presented with a backup code. Print it out and keep it safe.
Proguard will not obfuscate string literals. Instead you could store the secret as an encrypted string (maybe using AES) and decrypt when required. Alternatively, commercial programs such as Stringer or Dexguard provide string obfuscation.
152
answered Sep 30 '22 14:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
