1

I'm working with mobile apps and RESTful APIs and I have some doubts about security when registering a new user. I'm developing an android client that will communicate with a backend through REST requests.

It is very clear to me about the usage and implementation of the OAuth Authorization Server and how the communication is made between the android client (frontend) and the resource server or the authorization server (backend).

Most of the documentations mention that the client_id and client_secret must be stored in the server instead of the mobile app to avoid that such data to be figured out in an eventual decompilation proccess.

If I wish to perform an activity to create a new user, directly in the app (as it is the case in apps like snapchat, pinterest and so on), how could I perform the communication of the client with the REST API without the client_id and client_secret (or any kind of credentials) in the app?

The first and easiest solution would be to redirect the user to a signup webpage, but how could it be made in the APP?

Abel Dias
  • 11
  • 4

1 Answers1

1

https://stackoverflow.com/a/14572051/5055317

Simple answer: no data on the .apk is safe.

There are many ways to hide your API keys inside the apk. For example, using obfuscators like ProGuard/DexGuard, using Base64 encoding or hiding these Strings with JNI. But at the end they just create some delay to obtain the keys.

The only way to keep this information safe is if it is stored in a server, and your app gets it when needed.

Here is an article by Michael Ramirez review about hide techniques: https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

And here a discussion about this topic with some google employees: https://groups.google.com/forum/#!topic/google-places-api/SmujrL-pDpU

Community
  • 1
  • 1
Alan Wink
  • 113
  • 10