I'm currently building an Android app that uses OAuth to sign in to a service. With OAuth, I need to provide a client ID and a client secret to the service so it can identify my app. Right now, I'm storing the credentials like this:
public class Creds {
public static final String CLIENT_ID = "THE_CLIENT_ID";
public static final String CLIENT_SECRET = "THE_CLIENT_SECRET";
}
Obviously, this is not secure at all. Anyone can just decompile the APK file and see the strings instantly. How can I prevent people from doing so?
I wouldn't consider an obfuscator an acceptable solution since anyone who goes through enough effort can still recreate the strings.
note: This is not a dupe of this question since that discusses how to keep strings out of source control, not hide them inside the APK file. For example, a configuration file containing the keys could be kept out of source control but present in the decompiled APK.
edit: What if I put the strings in native code and retrieved them via JNI? Native code is much harder to decompile.
Best Answer
Why is it holding the secret? The app should never be holding the secret.
Your back end (or the validation service you're using) for performing the authentication round trip should be holding the secret and nothing else should ever contain it. The client ID needs to be available for the user, it's what they use to know what they're authenticating for so that's necessary for them to be able to view.
Yet again; the secret is secret and you should never give your users the chance to even catch a glimpse of it. If you do anyone can pose as you.