androidiossecurity

Best practices for API Key and Secret in bundled in App


I'm developing an app that will use text messages to verify a user's telephone number, the usual "enter code" routine.

After reading a little bit it seems like a bad idea to store the private keys for whatever third party I'll use in the app (twilio, nexmo, etc). Somebody could reverse engineer these from my binary and use them in their app.

However, having these on the server doesn't help either, somebody could just reverse engineer my server's endpoint that I use to send text messages and use that instead.

E.g. I could reverse engineer WhatsApp and get the private keys or API endpoints that they use for telephone number verification and just use that in my app, saving me thousand of dollars.

Any ideas on how to protect myself against such an attack?


Solution

  • Hiding API Keys on the server

    However, having these on the server doesn't help either, somebody could just reverse engineer my server's endpoint that I use to send text messages and use that instead.

    Yes it does help a lot.

    If somebody gets access to the keys to your web service, they can only do, what your service allows them to do. This is a very good idea to have a web service that encapsulates all the 3d party keys and API - it's way more secure.

    Nobody will ever get access to your sensitive keys, that'll allow them to do everything.

    For example the 3rd party API allows deleting - your server wrapper API will not allow it.

    Moreover, you can add any extra logic or alerts for suspicious behavior.

    Hiding API Keys in the app

    If somebody sets their mind to it, there's no way you can prevent getting your keys reverse engineered from your app. You can only make that harder. Computer security should never be about "how hard/complicated it is to do", but in this case we have no choice.

    Ok, so you have to hardcode the API keys into your source files. It can be easily reverse-engineered.

    You can obfuscate your keys, so that they can't be read directly. The result will be that they'll be scattered in a compiled file, rather than comfortably being placed in one place.

    On iOS you can use something like this.

    On Android you can use DexGuard, or any other way to obfuscate a string.

    Encrypting the keys

    Another layer of making it hard for hackers is to encrypt the keys.

    Here's an example for iOS.

    You can do the same for Android.

    Perfect Scenario

    Ok, so let's say you have a 3rd party API for video management.

    The hacker wants to delete all videos on the server, because the 3rd API allows that.

    First he has to glue up all the scattered strings in the file. If he manages to do that, he has to find a way to decrypt that.

    Even if he manages to decrypt that, that'll give him the API keys to your server and your server and your server only allows to upload videos, not delete them.