9

I am building SDK in which I require to take app id and app secret key from app which will integrate my android SDK.

I see every SDK is using this concept app id and secret key. I don't know what is the use of this ? How this make system secure ?

Can anyone help me on this topic.

N Sharma
  • 33,489
  • 95
  • 256
  • 444

2 Answers2

8

App ID and secret key are two different things. Let me try to address both separately and then tie them together.

App ID

App ID is simply a unique identification label for an app. This is to avoid overlaps in the App Store and on your device. If two apps have the same App ID, one can be installed on top of the other, effectively erasing the old one, and maybe hijacking your data. App ID is only the first step to SECURITY. To ensure there is absolutely no way of the above scenario happening, we use the secret key.

Secret Key

The secret key is a security implementation, usually for asymmetric encryption. Let's take a look at Wikipedia's definition of asymmetric encryption:

Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.

The secret key is part of a pair of keys, the other being the public key. The public key, as the name suggests, is openly available to the public. The secret key should ideally be available only to one person.

The pair of keys are used to open a lock, in your case to 'unlock' apps. Each app has a unique asymmetric lock. An asymmetric lock is either locked with a secret key, and opened with the public key, or vice versa. The purpose is IDENTIFICATION. Only one person can have the secret key. So any app by this person, we know is definitely from that person and not some hacker/doubious source. That is why the secret key is important.

Hence, these two concepts work hand-in-hand to bring you better security. When you use APIs, you sometimes do not need the secret key, but only the app ID so the main service you are using APIs for knows which exact product you are using.

bunbun
  • 2,595
  • 3
  • 34
  • 52
  • But anyone can get secret key (private key) after decompiling apk then how it can be secure ? – N Sharma Jun 22 '15 at 09:06
  • @Williams Two things. 1. How/which program are you using to decompile the apk and get the secret key? 2. I will withhold this point first ;) – bunbun Jun 22 '15 at 09:13
  • people use dextojar like https://github.com/pxb1988/dex2jar and can see your secret key from source code – N Sharma Jun 22 '15 at 11:14
  • then how it can be secure ? – N Sharma Jun 23 '15 at 08:29
  • 1
    @Williams that is due to bad programming, nothing at all to do with the concept of secret keys. You are supposed to code in a way that masks such info if you are leaving it on the app – bunbun Jun 23 '15 at 08:35
  • @Williams so 2. DO NOT leave your secret key in your code if it is not required by the API – bunbun Jun 23 '15 at 08:37
  • How to mask these kinda secret key in android app so nobody can get after decompile apk ? – N Sharma Jun 23 '15 at 12:58
  • Please accept the answer and upvote if you think this was helpful, this gives us a sense of pride in our answers and is how StackOverflow operates. fyi, this comment section is not for discussion, you should open a new question or head over to chat. anyway, please refer to http://stackoverflow.com/questions/6235290/how-to-make-apk-secure-protecting-from-decompile. – bunbun Jun 23 '15 at 16:55
  • @Williams this kind of authorization is ultimately confirmed by your application id. You specify it on the web when authorizing with e.g. Google APIs. Since only apps with unique ids can published to the play store, you are protected, even if your private key becomes exposed. – Simas Jun 27 '15 at 16:07
  • @Simas Yes correct but anyone can use my private key in their project because reverse engineering of android apk is not a difficult task. any hacker can get this easily after decompile my apk. so how to make secure such that hacker can't get this that is my question :) – N Sharma Jun 27 '15 at 18:40
  • 2
    @bernlim Thanks for your answer but still it's not what I am asking. Please read my above comment & you can't force anyone here to accept answer until op is satisfied. I know very well how stackoverflow works. I have been on this network for 3 years. – N Sharma Jun 27 '15 at 18:41
  • @Williams sure thing, lots of respect for you then. did you by any chance look at the link? Hackers cant get this if you follow those simple rules. That question is *protected* for a reason. – bunbun Jun 27 '15 at 18:44
  • Thanks @bernlim . Nice Thank you so much for your help :) – N Sharma Jun 27 '15 at 19:02
  • "If two apps have the same App ID, one can be installed on top of the other" how is that possible? Isn't AppID supposed to be unique? – rupali317 Nov 08 '17 at 06:54
3

Basically it's used for authorization. That in return enables the SDK creators more control over their users. I can think of a few reasons why an SDK would require an authorization:

  • Prevent/Block spam attacks on the servers that the SDK possibly connects to
  • Limit the use of the SDK
  • Track the use for statistics (e.g. usage frequency)
Simas
  • 43,548
  • 10
  • 88
  • 116