Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the role of app key and secret key in every SDK

I am building SDK in which I require to take app id and app secret key from app which will integrate my android SDK.

I see every SDK is using this concept app id and secret key. I don't know what is the use of this ? How this make system secure ?

Can anyone help me on this topic.

like image 629
N Sharma Avatar asked Jun 16 '15 18:06

N Sharma


1 Answers

App ID and secret key are two different things. Let me try to address both separately and then tie them together.

App ID

App ID is simply a unique identification label for an app. This is to avoid overlaps in the App Store and on your device. If two apps have the same App ID, one can be installed on top of the other, effectively erasing the old one, and maybe hijacking your data. App ID is only the first step to SECURITY. To ensure there is absolutely no way of the above scenario happening, we use the secret key.

Secret Key

The secret key is a security implementation, usually for asymmetric encryption. Let's take a look at Wikipedia's definition of asymmetric encryption:

Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.

The secret key is part of a pair of keys, the other being the public key. The public key, as the name suggests, is openly available to the public. The secret key should ideally be available only to one person.

The pair of keys are used to open a lock, in your case to 'unlock' apps. Each app has a unique asymmetric lock. An asymmetric lock is either locked with a secret key, and opened with the public key, or vice versa. The purpose is IDENTIFICATION. Only one person can have the secret key. So any app by this person, we know is definitely from that person and not some hacker/doubious source. That is why the secret key is important.

Hence, these two concepts work hand-in-hand to bring you better security. When you use APIs, you sometimes do not need the secret key, but only the app ID so the main service you are using APIs for knows which exact product you are using.

like image 160
bunbun Avatar answered Nov 15 '22 14:11

bunbun