Best Practice for Sensitive Configuration Data

What are some best practices around obtaining sensitive app configuration data? The two "data topics" I am mostly concerned about are client id and client secret for OIDC authentication, but this would also go for less sensitive data such as service endpoints, etc.

On first run of app, should a call be made to an (un)protected service endpoint to get this data?

Answers

  • LandLuLandLu Member, Xamarin Team Xamurai

    Client id and secret have been encrypted generally, this is a way protecting the sensitive data. Even though anyone else get this code, they won't know how to use them. Usually client id is used in the project which runs on the client side. This code won't be exposed to others and client secret is used on the server part which is also safety.
    For some user's sensitive data like password, we can encode it using some encryption algorithm maybe MD5. Then store it on the disk, For iOS maybe writing to keychain is a good choice.

  • RyanMendozaRyanMendoza USMember ✭✭

    @LandLu how do you get the client secret to the phone to be encrypted?

Sign In or Register to comment.