2

I try to understand how I can store secrets in a xamarin forms project.

I have a web api core as a backend and a xamarin forms app as a frontend.

I am trying to code facebook authentication with Xamarin.Auth and I need to pass secret key to my app..

My thinking:

  1. Store in the frontend: I could create a config file and encrypt it but the decryption will be in my source code and by decompiling and reflexion the hacker could retrieve the decryption source code and decrypt the secret key.

2: Store in the backend: I could store the keys in the backend but by sniffing requests sent a hacker could retrieve my secret keys.

Then what is the solution? How can I do it?

Thanks,

dalton5
  • 915
  • 2
  • 14
  • 28
  • Store in backend is the best option. Protect your backend with SSL, HSTS policies and other security policies to protect your network payloads. That's all we can do. – N Subedi Jun 26 '19 at 14:59
  • The nature of the web services or your application is to be used by other people! The door are always open otherwise how come other people can use your app? – N Subedi Jun 26 '19 at 15:00

1 Answers1

2

You could store your secret using Xamarin.Essentials. For Android your secret will be stored in the Androids KeyStore and within the Keychain in the case of iOS. Even if you decide to go with an encrypted config file I would strongly recommend storing your keys and IV in the SecureStorage instead of hard coding it in your source code. It is extremely easy to use and, well, as secure as it gets on a mobile device.

try
{
   // write secret
   await SecureStorage.SetAsync("oauth_token", "secret-oauth-token-value"); 

   // read secret
   var token = await SecureStorage.GetAsync("oauth_token");
}
catch(Exception ex)
{
}
Mouse On Mars
  • 1,086
  • 9
  • 28
  • 1
    The problem with this approach is you still have to SetAsync so for an oauth token you're not going to ask that from a user so how do you put it in? If you do as above it still exists in your source code. – Richthofen Dec 30 '19 at 15:22
  • @Richthofen perhaps using an Environment variable here would make sense. – Anton Swanevelder Mar 20 '20 at 10:26
  • @Richthofen You App directs the user to an authentication website, the associated authentication service that your app is using, e.g. Auth0, Firebase, provides an authentication token. This token you would save via SecureStorage to disk – Mouse On Mars Mar 20 '20 at 16:26
  • @AntonSwanevelder I would recommend using the secure storage iOS and Android offers. Usually, when you come up with a custom solution the result is less secure than going with what the platform offers. – Mouse On Mars Mar 20 '20 at 16:38