Reputation: 54013
Security: google client secret in app source code safe?
I'm having an iOS and Android app built for a backend we made and in the app we want to user to authenticate their gmail with us. On the iOS quickstart page I see the developer needs to include:
private let kClientID = "YOUR_CLIENT_ID_HERE"
private let kClientSecret = "YOUR_CLIENT_SECRET_HERE"
As far as I know however, I thought that app binaries (for both iOS and Android) can be decompiled so that basically anybody can find out our client_id and client_secret.
Seeing that google explains it like this I guess it makes sense, but incorporating secret authentication codes in binaries which I distribute just feels wrong.
Can anybody shed more light on this? All tips are welcome!
Upvotes: 1
Views: 358
Answers (3)
Reputation: 47893
From Step 1: Enable the Gmail API
Select the application type Installed application, the installed application type Other, and click the Create Client ID button.
Google knows the application type is running in an insecure environment and so Google should be designing data access and integrity around that assumption. Since the example documents including the secret in the source you will be fine as long as you follow Google's best practices.
Upvotes: 0
Reputation: 112875
You need to define who you are protecting against. If the value of what is being protected is greater than the cost of the attack.
There is no secure way to put the values in the source code but that may be secure enough for your application. Putting them in an encrypted file is only marginally better because the key to that file would have to be in the app.
That leaves obtaining them from the server, perhaps at signup, the security issue there is authentication the user. Then put the client and secured IDs in the keychain.
While the Keychain is as secure as possible on the device when the key is used it must be obtained into memory and then encoded into the request. The level of difficulty to an attacker is much higher but not insurmountable.
Upvotes: 3
Reputation: 11497
I believe it's wrong somehow.
Imagine this scenario. You want to put your code on a public git repository. Then everyone will be able to see your secret.
One way of solving this issue would be to store that data in an encrypted configuration file, or something similar.
On Android you could try SecurePreferences, and on iOS you could try UICKeyChainStore for that.
Upvotes: 0
Related Questions
- Is it safe to distribute client_id and client_secret for Google API for an installed application?
- What does the Google Client Secret in an OAuth2 application give access to?
- What exactly is the client secret for Google OAuth2?
- Is having the client id and client secret in code a security risk?
- Are there any security concerns with sharing the client secrets of a Google API project?
- I have a Google Drive app that I created, should I be hiding the client secret from users of the app?
- What are the security risks with including Google Map API key in gradle?
- Google API Security when consuming from an android device
- Where to store client_secret.json from Google API in an Android Application?
- Why does Google provide a client secret for a Native application?