Where to store Application Key?

Question

I was following along this article to create my first Android app using Azure Mobile Services.

https://azure.microsoft.com/en-us/documentation/articles/mobile-services-android-get-started/

In order to use mobile service SDK, the client needs to know Application Key, which is obtained from Azure portal.

In the sample app, the application key is stored in the client app. My question is, is this safe? What if someone decompiles the source code?

If this practice is not safe, what's the recommended way to store this application key?

thanks

Answer 1

The preceding answer is correct, and there is really no way to avoid passing the credentials to the service to authenticate.

However if you have other kinds of sensitive credentials, take a look at this topic, it stores information inside your mobile service, which you can then access Upload images to Azure Blob storage by using Mobile Services

Answer 2

Lets assume someone succeeds to get your application key and can interact with your back-end.

In my opinion, it is your responsibility to make sure no body can't do something it is not allowed to do. For instance, you must not make your client mobile able to send queries directly to your database; you should only let him interact with one or more APIs which will let him consume the resources and/or services you want him to consume. You must control what data your clients have access to.

If you manage to do this properly, you will fast understand why its not much of a big deal if someone by some way finds your Application Key: It won't be able to access to unauthorized data.

PS: Generally, when developing back-end APIs, you must always keep in mind that you never have to trust what your clients send/ask you. You should thus always do some checking first. (connection token, valid argument types, etc.)