1

I wasn't sure if I was supposed to ask this here, or in the security stackoverflow page, but I'm sure somebody has a great answer on this.

I'm building an Android app which uses the Fabric.io Twitter package. Using this requires a TWITTER_KEY and a TWITTER_SECRET code. I'm trying to hide them, because that's what they mention when the package is added.

At the moment I'm saving my cridentials in a SharedPreference like this at the beginning of my splash screen activity: 

PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).edit().putString("TWITTER_KEY", "xxxxxxxxxxxxxxxxxxxxxxx").commit();

Later, for initializing the Twitter package, I'm recieving them like this: 

TwitterAuthConfig authConfig = new TwitterAuthConfig(PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).getString("TWITTER_KEY", "defaultStringIfNothingFound")

I do the same with the TWITTER_SECRET code.

I have two questions:
  1. What can people achieve if they have access to my keys?
  2. Is this safe enough so that other apps can't acces my keys?
  3. Is this safe enough for app decompiling?

Thanks for your help!

Markinson
  • 2,077
  • 4
  • 28
  • 56

1 Answers1

1

What can people achieve if they have access to my keys?

I don't know the API so I cannot answer this.

Is this safe enough so that other apps can't acces my keys?

Yes, unless the other app has root permission.

Is this safe enough for app decompiling?

No. But there is little you can do about it. You can make it somewhat harder to find the key but there is no 100% solution if the key is somehow embedded in the app. Whatever the app can do to recover the key can also be done by an attacker.

Btw. why do you store the key in shared preferences?

Henry
  • 42,982
  • 7
  • 68
  • 84
  • Thanks for your answer! I added it to a shared preference because I've read somewhere that this was a safe option, so that other running apps can't acces it, because it's not stored directly as a named variable with a value (at least I think that's what it said :p ). So when the attacker searches for "TWITTER_KEY" or something they can't find the variable with the key easily because it's somewhat hidden in the code, if that makes sense. – Markinson Oct 21 '15 at 11:22
  • But now you have it stored in two places, the app code and on the disk; so two diferent ways for an attacker to get to them. – Henry Oct 21 '15 at 11:24
  • Yeaah.. I guess that's right, but at least it's safer for when the app is running. Not for when it's decompiled I think. Any suggestions on how to improve this? – Markinson Oct 21 '15 at 11:27