2

What would be a secure way of storing client secrets used for authentication (webservices) in Xamarin/Android apps ?

Secure Storage, which interacts with Android Keystore, seems very useful for storing sensitive data acquired at runtime, such as access tokens, but not for sensitive data that needs to be immediately accessible.

EDIT: A practical example of client secrets would be, for instance, a static, universal client id and client secret used in OAuth2.0 authentication.

asyncful
  • 29
  • 3
  • 3
    What's your threat model? Or in other words, which attackers are trying to get access to these secrets, and what means do they have of attacking the system? Note that "everyone and any means" is not a useful threat model as then you're trying to protect against nation state actors with remote zero-day attacks. – Philip Kendall Aug 04 '21 at 12:38
  • @PhilipKendall Thank you for the reply. This is to be a publicly available mobile app, the potential actors would be, at worst, market competition (or maybe casually malicious users), their means would probably be low, and the damage caused by the access to these secrets would also be low. – asyncful Aug 04 '21 at 13:05
  • 1
    Can you clarify. How is Secure Storage not "immediately accessible"?. I've used Secure Storage before and it seemed accessible to me. – Blake Aug 05 '21 at 15:50
  • @Blake An example of sensitive data that would need to be immediately accessible, would be the client_id and client_secret used in OAuth authentication. As they are universal and not acquired via user input, they would either need to be embedded in the app or acquired through a system that wouldn't depend on user input. I hope I managed to clarify my question, thank you for the feedback. – asyncful Aug 06 '21 at 10:11
  • 1
    User authentication is not required to use secure storage. See https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean). Just set that to false. – Blake Aug 06 '21 at 15:14

1 Answers1

1

In General

Any secret present on the client side cannot reliably remain secret from the user. If data is only sent to the client side after authenticating and authorizing a valid user, then you are still trusting that user with the secrets.

There is no practical way to ship a secret as part of an application binary as it will be available to anyone who can access the binary which is basically everyone. Even in some encrypted form, the decryption mechanism will necessarily be present in the binary. Only providing the decryption key to an authenticated and authorized user is in most cases more complicated than just providing the secret data directly to an authorized user.

OAuth Specific

Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/ was specifically designed to address the problems with client secrets in a mobile context. You no longer need the client secret on the mobile device when you use PKCE.

ScottS
  • 111
  • 3