Is it possible? I want my application to use Facebook authentication, but for that I need an app secret. From what I read, the best way available for keeping it secured is to use SharedPreferences, but how can I put it there before using it? If I include it in the source code, it might be discovered by decompilation, so is there a way to put it in the APK and make it be written to SharedPreferences during installation? (I suppose the APK can also be hacked, but it may be harder, I really don't know...) Thanks for any help.
Asked
Active
Viewed 156 times
0
-
You are assuming that [ProGuard](http://developer.android.com/tools/help/proguard.html) will not help? – iTurki Aug 12 '12 at 18:33
1 Answers
0
As far as I know, Android obfuscates your code using ProGuard. This will not be secured enough if someone is REALLY looking for the secret key.
You can make their job harder by encrypting your key inside another key. However, this is as secure as you could get to.
Regarding the security of the SharedPreference class, There is a secure implementation of it. ObscuredSharedPreferences is a custom SharePreference class that supports encryption but it still not secure 100%
-
So actually I must hard-code the app secret in the application and trust ProGuard to obfuscate it good enough? There's no way of being able to read and use it other than that? – user940016 Aug 12 '12 at 19:04
-
You may have it in a server then you request it at the first run of the app and store it. But this need a lot of work and security issue. And for your info, most of the famous apps in the store hardcode their secret keys/ids in the `String.xml` ! – iTurki Aug 12 '12 at 19:07
-
Do they use a key to encrypt it? And if so, where is the key stored? – user940016 Aug 12 '12 at 19:19
-