Can a secret token be included with an app securely?

Question

I want to create an UWP app for a web API, which provides API keys for app developers.

Basically I would need to include some constant values with my app to generate some HMAC authentication tokens and pass them in the request header.

However, I'm not familiar with how UWP apps are delivered and deployed. Probably not very securely. I'm afraid if I did this, someone would simply decompile the app and steal the keys, like how regular .NET apps can be decompiled.

So what I would like to know is if I can deploy the app with secrets, and if not, how is this kind of problem solved usually with apps?

Also, if it is possible to deploy an app with secrets securely, how can I update those secrets if I would ever need to?

Answer 1

What you are looking for is the Microsoft Data Protection API (see https://msdn.microsoft.com/en-us/library/ms995355.aspx).

Basically the operating system provides you a service/api which securely allows you to store data. It uses the user authentication to encrypt and decrypt data. You may delete / write a key whenever you like.

I would suggest you calculate a key using ECDH (Elliptic Curive Diffie-Hellman) between your client and server (api) and then store the mutual agreement in the keystore. You decrypt your key on runtime, you might want to store the variable then in a SecureString. However keep in mind your api needs to keep track of the generated mutual agreements (also securely).

Here Microsoft explains on how to implement DPAPI: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection