How to preserve sensitive information in Client-Side-Binary? - McMap

About

How to preserve sensitive information in Client-Side-Binary?

Asked 2/1, 2012 at 14:53 Answered 2/1, 2012 at 17:1

Solved android iphone reverse-engineering client-side binary-data

C

1

6

I look forward to develop an Android / iPhone application, those will be using a private API (Non-Free) with embedded client-key.

Now, since it is possible to reverse-engineer application binaries and scrap out strings. I am worried of losing my client-key and there by exposing the private API to the attacker.

How to manage this ? Can you provide links to articles discussing such situations ?

Considering I have development access to the private API, what mechanism can I built in to that to preserve the privacy of the whole system.

Communicative answered 2/1, 2012 at 14:53 Comment(0)

I

0

It will always be possible to use the private API if you have access to your applications code (see this thread as well). You can make it harder, though. And you can restrict the use of the API with the following options

1) if it's not "your" API, don't put the key into the app but into a server you are running to serve as proxy for the foreign service (you probably still want another key for your server to go into the app then)

2) encrypt/scramble the key so it is not grabbed easily:

simple example for scrambling: put the key into a file; generate a random file of same length; xor the key file with the random file (and write it to disk again); whenever you need the key read both files and xor them again (any reversable operation instead of xor will do - more complex operation, spread over your code will make it harder for the reverse engineer)
encrypt your key using a passphrase spread over you app (on deployment android apps are obfuscated anyways, so finding it gets a bit harder)

3) if it's your service or you have a proxy set up, restrict the number of uses per client/IP or offer only parts of the service over your proxy

Note, option 1 may even be required if you have a contract which forbids to make your key public.

Intoxicate answered 2/1, 2012 at 17:1 Comment(9)

(1) Putting it on a server again creates the problem of safe-guarding the server url. (2) I would like to know the other methods, since I am worried about the decompilers. (3) How can I restrict the uses per client/IP in case of unknown mobile phones as clients ? Please suggest something else. – Communicative 2/1, 2012 at 20:47

1) of course, that's what I said - your clients just won't get the actual key – Intoxicate 3/1, 2012 at 14:31

3) I'm not sure where the problem should be you could e.g. restrict the use of the service to 10 times a day per IP (it does not matter whether you 'know' the phone or not) – Intoxicate 3/1, 2012 at 14:33

2) probably you are expecting too much here - you cannot completely avoid reverse engineering (see the thread I've linked above now) – Intoxicate 3/1, 2012 at 14:43

(2) that is why I said, I will like to know more methods. – Communicative 4/1, 2012 at 4:43

(3) I mean I want my legitimate mobile app to make unlimited calls to API, So how can I distinguish a legitimate mobile app with attacker's calls ? – Communicative 4/1, 2012 at 4:44

3) essentially: you can't (if he behaves like your app) – Intoxicate 4/1, 2012 at 10:28

That's what the root problem of the above Question ! – Communicative 4/1, 2012 at 12:34

It seems like there is no absolute/promising way of storing sensitive information inside client-binary. – Communicative 10/1, 2012 at 4:19

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.