Some APIs should be accessed from your backend, not the app (eg the user can authorize you on Facebook without you sharing your API app secret).
The paper also says they found amazon tokens, with which you can spawn instances. I think you can use other kind of authentication that don't give access to the whole account.
What if you app doesn't have a backend? That's an honest question, I've been trying to come up with some way of using authe/autho keys on a fully client-side app (be it a mobile or desktop one) that is still secure; I can't think of a way to, as to communicate it requires the keys to be in memory, thus, vulnerable.
I dunno. I've wondered about all this myself quite a lot, perhaps its a non-issue?
Yes I don't know of any good solution for client side only applications. And it's a real issue I think. For instance if I have your key, it may be possible for me to access data, post on behalf, etc... of people who signed in with the service on your application
Best writeup for Google I've found:
http://www.riskcompletefailure.com/2013/10/google-android-cl...
(author talks about "PlusClient" which is now deprecated in favor of "GoogleApiClient", but other than that, the article is accurate - but missing server-side details).
It's a lot harder. So I'm guessing many devs just skip it.
Frequently: none. Well, you could proxy the request through your servers, but that could get relatively costly.
Ideally: either the service allows you to generate short-lived tokens (server-side, ideally without a request to the service), or you sign requests for the client. In the latter, you generally gain some measure control over what apps can do, with relatively small cost. Basically that's what you can do with S3 file uploads - your server can generate a signed URL, then the client can upload to it, all while you retain complete control of your API secrets.
> This can mean several things, but it also means that users can never be 100 percent certain that the app they are downloading is entirely secure.
I wonder in what circumstances the author thinks users can be 100% certain that the app they are downloading is entirely secure. Cause, yeah, there aren't any.
1. the user is side-loading an app they wrote themselves (or is an internal Apple/Google developer who uploaded an app to their app store and audited the entire sausage-making process as it transpired),
and 2. the app does literally nothing,
then the user can be 100 percent certain that the app does what it does securely.
What a non article. As if iPhone apps don't have these keys in them.
So, now you have those keys. What are you going to do with them? Just because you have the "app" key doesn't mean you have access to any sort data. The worst you can do is write an authentication flow with some other companies app keys, and then what?
Can someone please explain what the security issue here is?
I wouldn't really consider these "keys" or "secrets", they're more like a user identifier. Having them probably means you can now write another app to access the same data... and if that was in any way considered a security issue, it wouldn't be solved by not having those identifiers in the app either.
(Of course there might be some APIs that allow doing more by interacting with them directly than what the app originally allowed, but I think those are just cases of bad design.)
Some Websites require you to pay money for access to their API.
Some of them also have a HTML5-App (with a wrapper) available for Android. This app uses the same API.
So some malicious developer could just unzip the app, read the JavaScript and find the API-key, and use their key instead of paying for one.
And as the website usually has many accesses from the same IP (due to mobile users being behind NATs), the Website will never find out that someone is abusing their API.
And some websites do not have public APIs at all. I've already used this technique to "discover" the private API and the access keys, nothing sensitive and only for personal use of course.
So this relates to the API keys used by developers to access their own backend APIs and the APIs of third parties, such as Facebook or Twitter.
There are suggestions in comments here that you hide your third party API keys in your own backend server, and your app queries for the API keys and then makes the call from the client using the temporary downloaded keys.
So how do you secure your own server's API keys? That's just a Russian doll implementation.
I can't see a valid way to access an API key using a consumer key / secret without storing them in the application.
Having read the paper [1], the authors suggest the following as a solution to the API key conundrum:
To avoid the need of storing secret tokens on a mobile device, Facebook
leverages the presence of the official Facebook Android application on
Android devices. The Facebook SDK allows third-party applications to use
Android intents to proxy requests for user access tokens through Facebook's
Android application, where the user is already authenticated. To retrieve a
user's access token with the Facebook SDK, the Android application identifier
of a third-party application must be registered on its Facebook application
settings page. This allows Facebook's Android application to respond to the
third-party application's access token request by verifying the application
identifier in the intent to the one officially registered online. Only the
application identifer is needed and no secret key is compromised since it
is retrieved at runtime. This technique relies on the robustness of Android
since the source of the Android intent is assumed not to be spoofable.
Does anyone have a clearer description of this process. I've now read this extract three times and I'm none the wiser.
Facebook require you to create an "Application" on their developers website which corresponds to your Android app. Within the settings for your Facebook application you have to register details of your Android application - the package name and some sort of information on the key it's signed with (If my recall is correct - I've not done it for about 6 months).
Because you've registered this information, Facebook will only allow your app to perform actions if it not only has the correct API key but also matches the registered details. I suppose this means that if someone decompiles your app and steals your key they can't perform actions pretending to be you.
That's not true totally, since you can side load on Android it's trivial to spoof an App Identity to match what the facebook app is expecting. You can get the Identity from the original app. What is somewhat more difficult is doing this across a bunch of phones since the Play store won't register your app if it's spoofing another apps id. In the end it's just a series of hoops to jump through like almost all security. The more hoops you put between you and the bad guys the less it's worth jumping through them, in theory that is. There will always be the guy who has to know.
*edit I mean it's not true that the attacker can't impersonate your app. Your description of how it works looks right on to me. :)
The Facebook application on Android probably verifies the integrity of the app originating the request by checking its code signature. Developers have to register their Android code signing certificate with Facebook.
I imagine that it works like that the other way around as well: Check whether the code signature of the Intent's sender matches the app developer certificate.
I am surprised that more developers do not run a code scrambler on their code before compiling a release. Also, why would you name the variable where you store the key "FACEBOOK_CUSTOMER_SECRET" rather than "AKED223KWN" or something else random. And, why wouldn't you at least pad and scramble the key, so it would be a little harder to pick it out of memory.
That's not how API keys work; scramble them and they're different. What I gathered is that the authors didn't look for glaringly obvious things like variable names, but did a more generic scan for strings or keys that look like encryption keys. Obfuscation won't help there. I don't know if it's possible to encrypt your entire codebase and still end up with a workable app - after all, the decryption would still need to be done on a potentially unsafe device.
Obviously a scrambled key wouldn't work if you try to use it subsequently in it's scrambled from. But you can store the these keys in a safer way. There are numerous ways you can obfuscate the key. For instance, convert the key to binary and store it 1 bit at a time, every 8 bits, in a bitmap log. Or think of something more elegant. Write the accessor function that pulls the key on the fly and returns a string. I know, you can still read the key our of memory, but all of the sudden you need to do a lot more work to pull it.
Also, scrambling function and variable names is always a good idea, it makes reverse engineering your app a lot harder. And there are many programs on the market that will do this for you automatically.
I m wondering if there is any alternative to storing API keys and tokens in the source of the app ?
Proxying all calls through our own server seems like an expensive way of solving this problem. Because if the client is compromised it doesn't do much anyway.
There is a tool for moving API keys out of the source: Keystok stores encrypted API keys and tokes in a cloud service and lets the App / client retrieve them during runtime.
Shoot me down if I'm missing something obvious here, but:
One solution would be for Apple and Android to have an "environment" section for applications. You'd be able to set these environment keys when publishing the app.
Apple and Android could provide an API to these environment keys, and they'd be published in an encrypted form as part of the application manifest.
Bonus Points: It would be relatively simple to provide the facility from the AppStore provider for changing / cancelling these keys.
While not an API as such both OS's provide a User defaults/App default storage area. It's not that hard to encrypt your key in an outside process and then have your app write it to that location in encrypted format. Then make a request to the server to supply the key to decrypt the api key. Then again you are making it a little harder to break in but not much. The better tactic is to just limit the API access to as little as possible and make the API as secure as possible.
39 comments
[ 3.2 ms ] story [ 103 ms ] threadThe paper also says they found amazon tokens, with which you can spawn instances. I think you can use other kind of authentication that don't give access to the whole account.
I dunno. I've wondered about all this myself quite a lot, perhaps its a non-issue?
If you're shipping root account AWS keys in any app, you're doing it wrong.
Best writeup for Google I've found: http://www.riskcompletefailure.com/2013/10/google-android-cl... (author talks about "PlusClient" which is now deprecated in favor of "GoogleApiClient", but other than that, the article is accurate - but missing server-side details).
It's a lot harder. So I'm guessing many devs just skip it.
Ideally: either the service allows you to generate short-lived tokens (server-side, ideally without a request to the service), or you sign requests for the client. In the latter, you generally gain some measure control over what apps can do, with relatively small cost. Basically that's what you can do with S3 file uploads - your server can generate a signed URL, then the client can upload to it, all while you retain complete control of your API secrets.
I wonder in what circumstances the author thinks users can be 100% certain that the app they are downloading is entirely secure. Cause, yeah, there aren't any.
1. the user is side-loading an app they wrote themselves (or is an internal Apple/Google developer who uploaded an app to their app store and audited the entire sausage-making process as it transpired),
and 2. the app does literally nothing,
then the user can be 100 percent certain that the app does what it does securely.
So, now you have those keys. What are you going to do with them? Just because you have the "app" key doesn't mean you have access to any sort data. The worst you can do is write an authentication flow with some other companies app keys, and then what?
Can someone please explain what the security issue here is?
(Of course there might be some APIs that allow doing more by interacting with them directly than what the app originally allowed, but I think those are just cases of bad design.)
Some of them also have a HTML5-App (with a wrapper) available for Android. This app uses the same API.
So some malicious developer could just unzip the app, read the JavaScript and find the API-key, and use their key instead of paying for one.
And as the website usually has many accesses from the same IP (due to mobile users being behind NATs), the Website will never find out that someone is abusing their API.
https://github.com/search?o=desc&q=_CONSUMER_SECRET&ref=sear...
There are suggestions in comments here that you hide your third party API keys in your own backend server, and your app queries for the API keys and then makes the call from the client using the temporary downloaded keys.
So how do you secure your own server's API keys? That's just a Russian doll implementation.
I can't see a valid way to access an API key using a consumer key / secret without storing them in the application.
Any suggestions?
[1] http://www.cs.columbia.edu/~nieh/pubs/sigmetrics2014_playdro...
Because you've registered this information, Facebook will only allow your app to perform actions if it not only has the correct API key but also matches the registered details. I suppose this means that if someone decompiles your app and steals your key they can't perform actions pretending to be you.
*edit I mean it's not true that the attacker can't impersonate your app. Your description of how it works looks right on to me. :)
https://github.com/facebook/facebook-android-sdk/blob/master...
The process is described here: https://developers.facebook.com/docs/android/getting-started...
The Facebook app for Android is closed source; however, the Facebook Android SDK seems to verify requests from the Facebook app in a similar way: https://github.com/facebook/facebook-android-sdk/blob/master...
I imagine that it works like that the other way around as well: Check whether the code signature of the Intent's sender matches the app developer certificate.
Also, scrambling function and variable names is always a good idea, it makes reverse engineering your app a lot harder. And there are many programs on the market that will do this for you automatically.
Proxying all calls through our own server seems like an expensive way of solving this problem. Because if the client is compromised it doesn't do much anyway.
Its not just about moving keys out of the source, but about getting rid of local config files altogether. Related post on their blog: http://blog.keystok.com/why-i-stopped-using-local-config-fil...
Disclosure: I'm a developer at Keystok.
One solution would be for Apple and Android to have an "environment" section for applications. You'd be able to set these environment keys when publishing the app.
Apple and Android could provide an API to these environment keys, and they'd be published in an encrypted form as part of the application manifest.
Bonus Points: It would be relatively simple to provide the facility from the AppStore provider for changing / cancelling these keys.