In my Custom Web Receiver Google Cast app I need some security key which enables application to function properly. This key should never be exposed to any user. Users will start and use the app through the iOS sender app. I thought about 2 ideas, but I have security concerns.
First idea: Simply hardcode the key in the receiver source code
The problem I see here is that the web receiver app is just a normal web page with included Cast Framework. So everyone with the page URL can open this web page in a desktop browser and see the source code. Are there any options to hide such key if someone knows the URL and opens web app in a browser?
Second idea: Send the key from the iOS app using GCKCastChannel
Because iOS app also has this key securely stored, it could send it to the receiver app in a message using custom cast channel. Here I have 2 questions:
- Are GCKCastChannel messages somehow secured? Or would it be easy for a hacker to intercept and see the content of a message that is send? I can't find information in what form these messages are sent.
- Let's assume that the communication is secure and the key is sent to the receiver app. Receiver app is written in Javascript and will store this key in a variable. Is somehow possible for the user to see source code of the receiver app that is running on his TV device? Or did Google somehow prevent that in the chromecast?
I will be really grateful if someone answers my questions or suggest any other solution.
