Storing secret information in SecureStore (secret for user)

I have a question about security.

Imagine having an API that checks username and password which accepts a username and password in the multipart formdata.

To use this API you will ALSO need to use a username and password for the API itself using Basic auth.

Is it safe to store the username and password for this API service (NOT FOR THE USER) in the SecureStore?

SecureStore lets you store data that is protected with hardware-secured private keys (if the phone supports it – e.g. Apple is especially good about this). This way if someone loses their phone and someone else tries to read the data off of the phone, the data will stay private.

SecureStore would be a good candidate for storing an authentication token that you get back from an API. However, it’s important that you obtain the API credentials securely as well, otherwise they aren’t secure. For example, if the user were to type in their username and password, which you send to your server over HTTPS, and then you were to get back API credentials in the HTTPS response, the API credentials would likely be secure.

However, do note that the user now has the API credentials. Sometimes this is OK if each user has a different set of credentials (e.g. with AWS IAM). This probably isn’t OK if you – the developer – have one set of credentials that all users share. In this case, you should keep the API credentials on your server.

Additionally, if you were to embed the API credentials in your JS bundle, however, they’d be terribly insecure, because someone could easily download your JS bundle or retrieve it from your IPA / APK and just look for the credential strings inside of it. This isn’t specific to JS at all, either: Java byte code and native ARM assembler are not much harder to extract strings from. “Client secret” is often an oxymoron, be careful of that.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.