1

I am building an app which connects to a backend. The backend is protected with some credentials that the app has to send during the first launch, in order to retrieve an auth token and a refresh token (even if the user never authenticates). Those machine credentials are unique per client (one for the Android app and one for the iOS app). Moreover, they are sent in the headers of the request through HTTPS.

What I am currently doing is hard-code these machine credentials (ID and secret) inside the android app code.

Now, on iOS, the app is shipped as binary, so it is very difficult to reverse engineer and retrieve the hard-coded credentials.

On the other hand, the Android app is shipped in dex code, which can be reverse-engineered easily. In this way, even with Proguard enabled, anyone can read these machine credentials from the code.

I am not an expert in security, but is there any way to avoid this? Or is this approach wrong?

Daniele Vitali
  • 3,848
  • 8
  • 48
  • 71
  • I'm not an expert too, but I think that [javax.crypto](http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html) might help you – Pier Giorgio Misley Oct 12 '16 at 13:42
  • "on iOS, the app is shipped as binary, so no one can do reverse engineering": clearly a wrong assumption. – Henry Oct 12 '16 at 13:42
  • ok right, but not as easy as Android at least – Daniele Vitali Oct 12 '16 at 13:44
  • you could create a specific endpoint to return those information and store those in a sqlcipher, or you could use an one-time-password approach – Blackbelt Oct 12 '16 at 13:53
  • @Blackbelt I think in both case I have to hard-code something. Either the URL of the endpoint where to retrieve the credentials or the one-time password. – Daniele Vitali Oct 12 '16 at 14:01
  • @PierGiorgioMisley I could use crypto for ciphers, but I have to hard-code the secret key to decipher the credentials. – Daniele Vitali Oct 12 '16 at 14:02
  • I think you have to hard-code the url in any case. that's true, in Android it's easier, but the only way is to create your own framework. AFAIK the only not-cracked apps are the ones using their custom frameworks. But I don't think this is an huge problem, if you use a good logic with the authentication token, having the url might be useless for them without the authentication token. I don't really think you can get any data without hard coding the urls – Pier Giorgio Misley Oct 12 '16 at 14:06
  • 1
    @PierGiorgioMisley I partially agree with your latest comment. My objection to your first comment was that I would have to expose an endpoint which is publicly accessible and easily sniffable through MITM, even with HTTPS. In my current implementation instead, there are no public endpoints, so you cannot retrieve these credentials by sniffing the network... I guess :) – Daniele Vitali Oct 12 '16 at 14:13
  • @DanieleVitali try storing the data in an encrypted SQLIte database. You can use [SQLite Cipher](http://lomza.totem-soft.com/tutorial-add-sqlcipher-to-your-android-app/). I know its kind of an overkill for just storing auth info but last time i checked SQLite cipher ads an extra security layer on top of your database so it should be sufficient. – Sheraz Ahmad Khilji Oct 13 '16 at 08:50

0 Answers0