0

It is an obvious security vulnerability to have my API keys out in the open as such when initially developing my app. Parse is setup this way because it’s easy for development and learning I assume.

I’m going on the assumption that accepting only HTTPS will be enough to protect the keys in transit. If this is not the case please advise.

The main issue I’m having is how to protect the keys in the source code against decompilers.

If I were to encrypt the keys, and decrypt for API requests, then re-encrypt the keys again when not in use, would this be sufficient or could someone malicious still reverse engineer the app to get keys and launch attacks against my users’ data?

I’ll take a Flutter Parse answer but I’d be happy with any general idea, starting point or answer.

RobbB
  • 117
  • 5
  • Is this an android app? – defalt Jul 14 '21 at 15:02
  • Android and iOS – RobbB Jul 14 '21 at 16:02
  • 1
    [Secure way to hold private keys in the Android app](https://security.stackexchange.com/a/242398/118310) – defalt Jul 14 '21 at 16:28
  • No better than [flutter_secure_storage](https://pub.dev/packages/flutter_secure_storage) which uses keychain iOS and keyStore for Android for storing keys. I am already doing this. This does not really help me any. My question was pretty specific in the second last paragraph. Maybe I need a better more specific question topic about protecting data in use??? – RobbB Jul 15 '21 at 01:48
  • Encrypt the key using they key stored by keystore. Set key attribute to user authentication required. Then with only succesful authentication, keystore will decrypt the key. – defalt Jul 15 '21 at 04:42
  • Sounds like a chicken before egg situation. The server would require keys be sent to be able to authenticate user would it not? I could see this working for something not app related where auth could be gotten before first sign in. – RobbB Jul 16 '21 at 03:52
  • API keys aren't used for authentication, they are used for authorization. – defalt Jul 16 '21 at 06:32

0 Answers0