0

I am building an android app using flutter. The backend service is built using golang with gRPC as the API.

I want to achieve two-way TLS encryption for the app I am building. I have generated an RSA public and private key pair and assigned the private key to the golang gRPC side and the public key to the flutter side. I don't know if this is the best approach as I am directly storing the public key in assets folder of my flutter app.

What is the best approach for me to achieve two-way encryption without the risk of compromising my public key, or is there any other better method altogether to achieve what I am looking for?

golang gRPC init code:

cred, sslErr := credentials.NewServerTLSFromFile(parsedConfig.GRPCConf.CertFile, parsedConfig.GRPCConf.KeyFile)
if sslErr != nil {
    sslErr = errors.Wrap(sslErr, "[ERROR - 301]")
    return sslErr
}
opts = append(opts, grpc.Creds(cred))

opts = append(opts, grpc.UnaryInterceptor(unaryInterceptor))

grpcServer := grpc.NewServer(opts...)
hhharsha36
  • 3,089
  • 2
  • 12
  • 12
  • 1
    TLS works using certificates, not raw keys. And there's no "one way TLS", it's always two-way. What can be just one-way is the authentication: if you only need to verify the server's identity, you only need a certificate (and associated private key) on the server side. If you want mutual auth, you also need client certificates. – Marc Aug 31 '20 at 17:18
  • I am very sorry, I think I interpreted wrongly. As you have pointed out, I am using the certificate file on the server-side (I have attached code for reference). How to get the client certificate? Is it ok if I generate a client certificate of my own and embed it in the assets folder? I am new to encryption and development in general, Thank you for your response and patience. – hhharsha36 Aug 31 '20 at 17:30
  • 1
    Why would you need a client certificate? You don't need it to establish a secure connection. If you need to authenticate users of the app (as in each app install will have a different identity), you need something dynamic such as asking them to log in. – Marc Aug 31 '20 at 17:34
  • So, if I connect using the `credentials: ChannelCredentials.insecure()` option in flutter, is it still fine? If so thanks for your clarification. Please write an answer, I will mark it as the solution. – hhharsha36 Aug 31 '20 at 17:37
  • 1
    Try this guide: https://itnext.io/practical-guide-to-securing-grpc-connections-with-go-and-tls-part-1-f63058e9d6d1. Maybe also read more about TLS. And you should have a publicly issued certificate for your server. – Marc Aug 31 '20 at 17:43
  • Thanks a lot for all your help Marc. Will surely do the the same. – hhharsha36 Aug 31 '20 at 17:46

0 Answers0