2

What would be a secure way of storing client secrets used for authentication (webservices) in Xamarin/Android apps ?

Secure Storage, which interacts with Android Keystore, seems very useful for storing sensitive data acquired at runtime, such as access tokens, but not for sensitive data that needs to be immediately accessible.

EDIT: A practical example of client secrets would be, for instance, a static, universal client id and client secret used in OAuth2.0 authentication.

asked Aug 4, 2021 at 12:29
5
  • 3
    What's your threat model? Or in other words, which attackers are trying to get access to these secrets, and what means do they have of attacking the system? Note that "everyone and any means" is not a useful threat model as then you're trying to protect against nation state actors with remote zero-day attacks. Commented Aug 4, 2021 at 12:38
  • @PhilipKendall Thank you for the reply. This is to be a publicly available mobile app, the potential actors would be, at worst, market competition (or maybe casually malicious users), their means would probably be low, and the damage caused by the access to these secrets would also be low. Commented Aug 4, 2021 at 13:05
  • 1
    Can you clarify. How is Secure Storage not "immediately accessible"?. I've used Secure Storage before and it seemed accessible to me. Commented Aug 5, 2021 at 15:50
  • @Blake An example of sensitive data that would need to be immediately accessible, would be the client_id and client_secret used in OAuth authentication. As they are universal and not acquired via user input, they would either need to be embedded in the app or acquired through a system that wouldn't depend on user input. I hope I managed to clarify my question, thank you for the feedback. Commented Aug 6, 2021 at 10:11
  • 1
    User authentication is not required to use secure storage. See developer.android.com/reference/android/security/keystore/…. Just set that to false. Commented Aug 6, 2021 at 15:14

1 Answer 1

1

In General

Any secret present on the client side cannot reliably remain secret from the user. If data is only sent to the client side after authenticating and authorizing a valid user, then you are still trusting that user with the secrets.

There is no practical way to ship a secret as part of an application binary as it will be available to anyone who can access the binary which is basically everyone. Even in some encrypted form, the decryption mechanism will necessarily be present in the binary. Only providing the decryption key to an authenticated and authorized user is in most cases more complicated than just providing the secret data directly to an authorized user.

OAuth Specific

Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/ was specifically designed to address the problems with client secrets in a mobile context. You no longer need the client secret on the mobile device when you use PKCE.

answered Aug 9, 2021 at 20:09

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.