1

I am using OAuth 2 for login in my android app. Username and password are not stored on the device. However I have included three string parameters in the source code itself inside a class Constants.

public class Constants{
public static String redirectUri = "http://someurl/users/me";
public static String clientId = "my-android-app";
public static String clientSecret =    "asdfasf";

}

I access these parameters during login using Constants.clientId. My question is is my way of storing data secure? Do I have to encrypt these 3 datas. I cannot store these data in shared preference or database because in rooted device this data can be viewed.

Illegal Argument
  • 10,090
  • 2
  • 44
  • 61

1 Answers1

1

OAuth 2.0 Threat Model and Security Considerations(rfc6819) has listed Obtaining Client Secrets as a threat.

And as Google doc Using OAuth 2.0 for Installed Applications says:

These applications are distributed to individual machines, and it is assumed that these applications cannot keep secrets.

So there are no Client "Secrets" in fact. Trying to obfuscate a secret in installed applications is a futile effort as the secrets can always be recovered using the abundance of reverse-engineering and debugging tools.

Of course, you should do your best to protect secrets but at the end, a highly motivated hacker can always get it in an installed application. So it's the value of the secret vs. difficulty of extraction. The value of the client secret is impersonating the application. It doesn't give any access to user data.

My suggestions: Just take the risk go ahead and obfuscate it. Or you can consider using the proxy pattern(move the secret to a web server acting as an API proxy).

Community
  • 1
  • 1
Owen Cao
  • 7,955
  • 2
  • 27
  • 35