0

My Samsung Gear (Tizen 2.4, Web App) application makes use of several paid APIs which are protected with secret access tokens.

At the moment I simply have those tokens inside a js file, this does not feel like a safe way to store sensitive information.

What is the recommended way to store this kind of information.

The documentation mentions a key manager: https://developer.tizen.org/ko/development/api-references/web-application?redirect=/dev-guide/3.0.0/org.tizen.web.apireference/html/device_api/wearable/tizen/keymanager.html&langredirect=1

But I think the watch user has access to that? Which is exactly what I try to avoid.

Inside the config file, I can set some preferences, which I can then fetch with the preferences API. Is this secure? Or is this information extractable as well?

I was wondering what the safest way to store senstive app information (such as usernames, passwords, tokens, keys, ...), to which the watch user should in no way have access to, is to put inside a gear app. Or is the code assured to be protected in the compiled WGT file?

Gilles Lesire
  • 1,237
  • 17
  • 33
  • 1
    If you are concerned with security, call an endpoint from your page to your own server, and have your server make the api request to the paid api. Do not expose your access tokens to the user. – Taplar May 01 '19 at 22:03
  • Yes, I was already considering that. Since these API's are quite desired I would have to add my own security as well with a time senstive token, which would expire after a few minutes. Basicallly a hashed rounded timestamp with some salt value. To stop malicious users from abusing the API through my own server. This way a large part of the attack vector has been covered. However, I would still have to be able to safely store that salt value to be 100% safe. – Gilles Lesire May 01 '19 at 22:16

1 Answers1

1

Or is the code assured to be protected in the compiled WGT file?

There is a feature of encrypting Encryption available in Tizen applications. It protects html, js and css files after installation on the device. Maybe you can use it to somehow protect some sensitive data, but please notice that encryption happen during installation on the device - not during wgt file creation.

15kokos
  • 575
  • 2
  • 8