5

My app initializes PubNub with a hard-coded subkey and pubkey, then subscribes/publishes to a channel. How can I prevent someone from reverse engineering my app, collecting the sub/pub keys, and publishing garbage information to my channels?

Blaasd
  • 315
  • 3
  • 16
  • Use Proguard in your application – Maheshwar Ligade Dec 07 '15 at 06:21
  • Does Proguard somehow hide sub/pub keys? I assume that they wouldn't be changed? – Blaasd Dec 08 '15 at 00:23
  • You have to make the one pojo class and make those field private & also access them using getter &setter – Maheshwar Ligade Dec 08 '15 at 05:19
  • Using Proguard doesn't entirely solve this problem. Someone wishing to determine the sub/pub keys would simply need to sniff the network traffic coming out of the android app to find the keys. To stop the network traffic from being sniffed you'd need to prevent a MITM attack by pinning the SSL certificate. See: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Android – Keyosk Dec 09 '15 at 22:01

1 Answers1

2

PubNub Access Manager

There is no absolute way to hide your keys but you can manage how authenticated users access (use) your keys. PubNub's Access Manager provides a means for you to implement permissions that are granted to a auth-key for the channels that an end user will need to access (publish, subscribe, etc).

Permissions are read (subscribe and query), write (publish and update) and manage (add channels to channel groups). You will grant these permissions for each channel and channel group that the end user will need to work with and the auth-key you provide to the end user will be a parameter in the PubNub initialization which will be passed to PubNub with every PubNub operation invoked by that end user.

The above is a bit high level but this is a thorough discussion about hiding keys/managing access between Stephen Blum (@PubNub) and Phil Leggetter (@leggetter) - both respected and prominent thought leaders in the realtime data stream network space among other areas.

Community
  • 1
  • 1
Craig Conover
  • 4,710
  • 34
  • 59