2

What is best practice as of 2019 for storing secrets inside applications?

Sometimes in an app, you might need to access some web-resource or other asset that requires authentication or decryption.

What is the best practice to achieve this?

I've seen folks hardcode symmetric keys, etc but I feel this is a bad way to do things.

Even if the key is encrypted you still need to decrypt the key before use.

Using secure enclaves in iOS or keychains make sense but still, you'd need to onboard each client to the resource with their public key so this seems suboptimal (also you'd need to authenticate each client)...

schroeder
  • 123,438
  • 55
  • 284
  • 319
Woodstock
  • 679
  • 6
  • 20
  • That depends entirely on what you want to do. "Authenticating yourself to the server" is very different from "Decrypting something the server sent". –  Oct 29 '19 at 10:26
  • @MechMK1 let's say to keep API key secret? – Woodstock Oct 29 '19 at 10:39
  • 1
    So it seems your question is rather "How can I securely handle my API secret key?", right? Here is [an article](https://medium.com/poka-techblog/the-best-way-to-store-secrets-in-your-app-is-not-to-store-secrets-in-your-app-308a6807d3ed) that discusses one way to do it. –  Oct 29 '19 at 10:41
  • @MechMK1 - I regularly see folks say, "Don't store secrets in the source, put them on a server", I get how ECDH can be used to securely comm with a server, however, this still leaves the problem of how to authenticate with the server! the article is interesting, but using AWS surely isn't the 'best practice'? – Woodstock Oct 29 '19 at 10:54
  • There are a lot of questions about storing secrets in code here. Including API-specific questions like: https://security.stackexchange.com/questions/192411/how-to-securely-store-api-keys – schroeder Oct 29 '19 at 11:12

2 Answers2

1

What is best practice as of 2019 for storing secrets inside applications?

Best practice? Don't do it.

Its hard to answer your question without any context - what sort of "app"? What are the constraints? What is the threat model? What usages for the secrets?

If you are authenticating the user's interaction with the app, and the built-in capabilities of the client are insufficient, and you need to provide local then stored a suitably hashed representation of the user's passwords as data.

For anything which needs to be maintained as clear text, and which you cannot control the rotation of, and where your app will never see the user's password (or needs to run without an active session) and the secrets need to be available offline then encrypt the data using a master key, and for preference rotate the master key regularly (which is starting to sound a lot like building the kind of capability provided in most modern runtime environments). But this is a very undesirable situation - so should be the last option you choose.

If the app will only be used online (or only requires access to the secrets when online) then use an online store for the secrets authenticated by a changing token stored on the device.

Thee are so many other options I could be here all day painting scenarios and proposing what I think is the best solution.

symcbean
  • 18,278
  • 39
  • 73
  • Sure but that's the thing `authenticated by a changing token stored on the device` - you then need to secure that token, or authenticate the process of obtaining it, it's a chicken and egg situation. – Woodstock Oct 29 '19 at 13:03
  • Yes. If you have a solution to that you're going to get very rich. – symcbean Oct 29 '19 at 20:31
  • so I guess all of these mobile apps have a weakness when dealing with external resources... :) – Woodstock Oct 30 '19 at 10:18
0

I would say that the best approach if it is applicable, is to be able to use/apply a secret without directly accessing it.

For example, iOS enclave that you have mentioned works following this principle - it allows us to use the secret for cryptographic operations. Still, it is impossible to extract/view/copy secret from the enclave.

The same principle is used in Hardware Security Modules (HSM) mention in the reference by schroeder♦, where an authorized request can request performing a cryptographic operation, but the actual secret key never gets revealed by HSM device.

Valentin Balaschenko
  • 137
  • 2
  • 8
  • Yup problem is though, one must exfiltrate the public key (from the private key in the enclave) of each user in order to authenticate them. That's not efficient... – Woodstock Oct 29 '19 at 12:55