Store client secret securely

Question

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.

But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.

So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...

I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.

Any idea?

Answer 1

This article suggests these options, from less to more secure:

1. Store in cleartext

2. Store encrypted using a symmetric key

3. Using the Android Keystore

4. Store encrypted using asymmetric keys

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough

Answer 2

Maybe the best option is to use NDK because it can not be decompiled, like Godfrey Nolan points here

Here is a resource I found useful that helped me to implement it link to the resource

Cheers

Answer 3

As you said, whatever you do, how much you try to hide your key, you can not hide it 100%. But, if you want to make reverse engineer's work harder;

Firstly obfuscate your client (I guess you already do).

Secondly, do not put your key into the client hard-coded. Receive the key after login or user opened the application. And deliver secret key to the client over SSL. Store the secret as byte array and do not save it into the client. Just store in the memory.

These steps do not guarantee the safety of the secret key, but makes reverse engineer's job really hard.