Reputation: 4313
Is it safe to embed Twitter/Facebook API Key and Consumer Secret in Android/iOS code/pref file?
I have Android and iOS apps which need to post to social networks, like Twitter and Facebook, directly using users' accounts.
Is it safe to embed the API Key and Consumer Secret in source code (or put in a pref file) within the Android/iOS app? Wouldn't it be possible that some hacker can find the API Key and Consumer Secret?
Upvotes: 0
Views: 102
Answers (1)
Reputation: 2731
Pref is never safe for storing your passwords, it have been seen simply in root devices you can encrypt your pass and then put in pref but still your encrypt key exist in code in my experience your codes are not safe too even you use ProGuard.it can decompile and normal developer(not even hacker) can find keys I suggest you never store passwords locally .
if you have to do this I suggest you
use complex code with multipart password that each part store in different location with encryption
also from api 23+ you can use KeyStore
use ndk and store pass in c form
and finally use Proguard and DexGuard.
Upvotes: 0
Related Questions
- Is it a security vulnerability to put TWITTER_CONSUMER_KEY / SECRET in client for oAuth1 Twitter Login?
- Where to put API key for Twitter Key for Android
- Why should you keep your API Secret and key hidden?
- How do I include a Twitter API key in an open source desktop client while keeping it secret?
- Protecting twitter keys on Android
- how secure is it to have twitter consumer key and secret hardcoded in android app?
- Secret api Key Facebook and Twitter
- Can I avoid baking my Twitter API consumer secret into my iPhone app binary?
- OAuth - embedding client secret in your application?
- Can I share a web application's consumer key and secret using SA_OAuthTwitterEngine?