I have an Android application that sends info to a server, but needs each user to have an assigned API key that they use. The apk build is, therefore, universal, but I need to attach a unique config file to the download containing the API key.
SharedPreferences (or SecurePreferences) is ok for writing and reading from the app on the device, but not for sending down a pre-configured file?
*.properties needs to be compiled with the app?
AndroidManifest.xml meta-data, this is just used at build time?
What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?
What's the best way to have the unique API Key downloaded, have it stored somewhere private to the app, and accessible to the app?
You should get API key specific to user/app on successful authentication or login, then after you can store retrieved key in your SharedPreference of the application.
Set SharedPreferences mode as private mode so other application can not read/write it.
Related
Is there a way to store a secret key (e.g. API key) in flutter?
Use-case:
When registering a new user on my app I need to talk to my backend. Since I only want devices that I know to register users, this backend has only authenticated endpoints. Which means I need to have an API key to authorize the app.
I know you can store environment variables or configurations inside config file or user secrets in a encrypted database but there are a some problems with that in this case:
config file can be recovered with all of its content by just unzipping the apk file which means there are no real secrets there...
To have a secret in a database, you need to put it there first which is not possible before runtime.
I'll probably use environnement variable, and also, I'll obfuscate my Dart code.
There is multiple tutorials, but i'll send you the one from the documentation:
https://flutter.dev/docs/deployment/obfuscate
I have an android app. I'm using json api to fetch data from database. But api credentials are stored in my app. I don't want it. Because there are some ways to show android source codes.
Are there any way fetch data securely but credentials are not stored in my app?
You can use Android Keystore.The Keystore is not used directly for storing application secrets such as password, however, it provides a secure container, which can be used by apps to store their private keys, in a way that’s pretty difficult for malicious (unauthorised) users and apps to retrieve.
How to use the Android Keystore to store passwords and other sensitive information
Where is the best place to store a password in your Android app
Is there an equivalent to iOS's Keychain on Android?
My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)
I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.
Short answer, there isn't one. But you can expect the filesystem to be secure.
Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.
This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html
Actually there is:
By integrating Smart Lock for Passwords into your Android app, you can
automatically sign users in to your app using the credentials they
have saved. Users can save both username-password credentials and
federated identity provider credentials.
Integrate Smart Lock for Passwords into your app by using the
Credentials API to retrieve saved credentials on sign-in. Use
successfully retrieved credentials to sign the user in, or use the
Credentials API to rapidly on-board new users by partially completing
your app's sign in or sign up form. Prompt users after sign-in or
sign-up to store their credentials for future automatic
authentication.
https://developers.google.com/identity/smartlock-passwords/android/
Expanding upon #DJPlayer's answer:
Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.
Android Keystore System
Where is the best place to store a password in your Android app?
How to use the Android Keystore to store passwords and other sensitive information
Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.
Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)
http://developer.android.com/reference/android/security/KeyChain.html
Keychain for OS 4.0
Is it possible to deliver a private key with an Android app, which is the same for all app installations, and which cannot be extracted from the .apk file?
The reason I need this is the following:
When my app sends data to the server, (let's say an app key, which may be public), it also sends the hash of this app key, signed with the private key installed during the installation process.
The server checks the signature by applying the public key to the signed, hashed app key and comparing the result to the hashed app key.
Only if the signature is correct, will sensitive data like an app secret for the access of my API be returned.
This way I like to make sure that only my app can use my API and the app secret cannot be stolen (app key and app secret are necessary to retrieve an access token from the API).
Google Instance ID seems to be what I am looking for (runs on Android and iOS). This library enables you to assign unique IDs to each installed app instance and to perform a check on the server side, whether the ID belongs to your app.
More information can be found here.
I have to store the private key of my app in a secure location in the android device, i read about certStore, but it doesnt allow to store a file in it.
Is there any location where I can store it securely and doesn't get deleted if app re-installs.
You can store the key in the Preferences of your App. This will protect the key from
getting read by other applications because of the underlying file system restrictions of
the Android system.
But this won't protect the key from being read by the user itself.
and if you want to use this shared preference after your application removed and again installed in device then try for Android Backup Manager.
I think its help you in re-installation of your activity's data.
EDIT: Android (unfortunately) does not provide a way to do so. The approach I've used
before is to encrypt this token with another key generated within the app.
Your app key can be algorithmically generated. This, however, is only as secure as
your algorithm. Once that is known this is equivalent to storing the token in plain text.
Thanks.