How safe are "secret" keys in Windows 8 (WinJs) apps?

StackOverflow https://stackoverflow.com/questions/18391058

Question

I'm doing a hobby project Windows 8 app in WinJS. As I'm calling an external api, which requires an api key and oauth authentication, I've got a number of keys that I need to keep "secret".

I've seen places around the web with detailed descriptions on how to get access to and also modify the source code for WinJs (and C#) apps on your computer. But I think those were in the beta/preview time frame?

My Google skills don't seem to be able to tell me if this has been fixed since, does anyone know?

If it wasn't fixed, how do people handle these situations?

Any tips and suggestions welcome :)

Was it helpful?

Solution

You have a couple options here.

  1. Integrate Azure Mobile Services and have it do the oAuth if possible. Your keys remain secret in the cloud.
  2. Store the main key encrypted in your WinJs application. The secret then is also encrypted and stored locally. I use https://github.com/cauld/winjs-oauth-for-twitter and have a slight revision that when I get the key back I store it in the credential manager.

Any local application compiled from any computer language can be tampered with, all you need is a debugger. If you encrypt everything I in theory can just load up a debugger, attach to the http stack library and watch the data go out (excluding even easier techniques like Fiddler to watch this data) and extract whatever I want - fairly easily. So the question is what are you trying to prevent?

OTHER TIPS

If your app could be facilitated to launch a man-in-the-middle attack, you should not keep confidential data in plain form for a long time, in memory or on disk. Also, storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents.

There is no silver bullet to protect your code or data from probing by the end user (or someone who has physical access to the end user's machine), see the amount of game save editors and game trainers out there. Don't put your business logic or important data (e.g. in-app purchases) in plain text or similar, at least add some obfuscation

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top