2

I'm developing a mobile app (using Flutter) which has to communicate with a backend secured with OAuth.

The backend is not accessed in the context of a user so authorization or password grant flow are not the case here - it's client credentials flow.

I read numerous posts and opinions and I still can't come up with a solution how to securely inject the client_id and client_secret into the app without hardcoding them somehow, which risks those credentials from being discovered from someone who might analyze the binary.

Even solutions such as using the secure storage of the phone still seem to require some code which itself requires the hardcoding of the values. I also read that environment variables are also not safe.

So my questions stands - how can I securely persist credentials specifically for client credentials OAuth flow in a mobile app so that they are not discoverable by malicious programmers?

Mr. Nicky
  • 1,519
  • 3
  • 18
  • 34
  • Couldn't find my answer here: https://stackoverflow.com/questions/55663207/storing-api-credentials-in-a-flutter-application – Mr. Nicky Aug 06 '22 at 21:12
  • There is no way if you cannot afford for the credentials to be disclosed. You can use a server to act as a proxy; your app makes an unauthenticated request to your server for a specific, limited purpose and your server uses the client credentials flow to obtain the required token and make the request and return the result to your mobile app. Even better is if your app can make a user-authenticated request to your proxy which can validate the user authentication before making the request to the other service. – Paulw11 Aug 06 '22 at 21:31
  • Even if there is a server proxy, won't its url be exposed to "hackers" by decompiling the binary the same way the client credentials would be? What's the point of adding another level of indirection if the proxy would then be subject to the same level of exploitation as would the real server be if the client credentials were there instead of a proxy url? – Mr. Nicky Aug 06 '22 at 21:47
  • 1
    It really depends on what the client credentials allow you to do and what your app needs. For example, say the client credentials allowed read/write access to some database but your app only needs to read. A proxy lets you only expose a read function. Yes, people could find that url and perform reads using the url but the credentials that allow writes are protected. You can also use app attestation in your server to ensure that the request came from your app and not some other source. – Paulw11 Aug 06 '22 at 22:23
  • Finally, using a proxy lets you change the client credentials without having to release a new version of your app or breaking older versions – Paulw11 Aug 06 '22 at 22:23
  • I see what you're saying. I haven't heard of app attestation, so I need to do some research on that. Regarding my use case - the mobile app needs write access to certain API, which is why I'm so weary about how to tackle this. It would have been one thing to only have read access and not allow malicious agents abuse my backend and flood it with write requests, but yeah... – Mr. Nicky Aug 07 '22 at 11:22

0 Answers0