koobas.hobune.stream
Store api keys/secrets safely
I want to store store api secrets in my android application safely. That means, it is not possible to find out the api secret by decompiling the application.
Is it possible to use a config file or something else which is not part of the built afterwards?
thank you!
No that's not possible. Everything that you ship with your application can be read / decompiled. The only secure way is to store it on your server and handle important things on your server so a client never requires the secret in the first place.
For example if you want to validate a purchase with your private key the client application would send the receipt the client got from the store to your server. On your server you can validate the receipt and inform the client about the result.
Bunny is referencing "Public $$anonymous$$ey Cryptography". This where there exists both a public and private key. You can either: use the public key to encrypt a message and the private key to decrypt the message OR: use the private key to "SIGN" a message, and the public key to confirm the signature.
You probably want to employ the latter usage, with a static plain-text, and public key stored on the app. Sign the static plain-text with your private key, and send it to the purchaser. The app then uses the public key to process the signed-text message you sent them, and confirm it matches the static message it has stored in plain-text. The disadvantage to this, is still, you need to put that signed-text message "out there".
