1

I'm having an iOS and Android app built for a backend we made and in the app we want to user to authenticate their gmail with us. On the iOS quickstart page I see the developer needs to include:

private let kClientID = "YOUR_CLIENT_ID_HERE"
private let kClientSecret = "YOUR_CLIENT_SECRET_HERE"

As far as I know however, I thought that app binaries (for both iOS and Android) can be decompiled so that basically anybody can find out our client_id and client_secret.

Seeing that google explains it like this I guess it makes sense, but incorporating secret authentication codes in binaries which I distribute just feels wrong.

Can anybody shed more light on this? All tips are welcome!

kramer65
  • 50,427
  • 120
  • 308
  • 488
  • You need to define who you are protecting against. If the value of what is being protected is greater than the cost of the attack. – zaph Aug 06 '15 at 16:19

3 Answers3

3

You need to define who you are protecting against. If the value of what is being protected is greater than the cost of the attack.

There is no secure way to put the values in the source code but that may be secure enough for your application. Putting them in an encrypted file is only marginally better because the key to that file would have to be in the app.

That leaves obtaining them from the server, perhaps at signup, the security issue there is authentication the user. Then put the client and secured IDs in the keychain.

While the Keychain is as secure as possible on the device when the key is used it must be obtained into memory and then encoded into the request. The level of difficulty to an attacker is much higher but not insurmountable.

zaph
  • 111,848
  • 21
  • 189
  • 228
0

I believe it's wrong somehow.

Imagine this scenario. You want to put your code on a public git repository. Then everyone will be able to see your secret.

One way of solving this issue would be to store that data in an encrypted configuration file, or something similar.

On Android you could try SecurePreferences, and on iOS you could try UICKeyChainStore for that.

Mauker
  • 11,237
  • 7
  • 58
  • 76
  • 2
    How will you securely fetch the keys? – duci9y Aug 06 '15 at 15:39
  • Almost the same way you would read a `SharedPreferences`. The methods are described on both docs. – Mauker Aug 06 '15 at 15:50
  • No, I meant how would you fetch the keys in the first place? Would you transfer them from a server, or something? – duci9y Aug 06 '15 at 16:15
  • Oh. Sorry for that! haha. Yeah. You could transfer them from somewhere else, or create that file prior to your app deployment. – Mauker Aug 06 '15 at 16:18
  • 1
    How would you go about fetching those keys securely from the server, though? Any form of encrypted communication would need to be decrypted, which would require a decryption key to be stored anyways. PS: I was in a similar position for a hobby project a few moons ago, but I never bothered to solve the problem after that. Your answer reminded me about it. Thanks! – duci9y Aug 06 '15 at 16:21
  • That's a good point indeed. Perhaps using a certificate solution, like public key or something like that could solve the issue. And you're welcome! – Mauker Aug 06 '15 at 16:23
0

From Step 1: Enable the Gmail API

Select the application type Installed application, the installed application type Other, and click the Create Client ID button.

Google knows the application type is running in an insecure environment and so Google should be designing data access and integrity around that assumption. Since the example documents including the secret in the source you will be fine as long as you follow Google's best practices.

abraham
  • 46,583
  • 10
  • 100
  • 152