Forum Xamarin.Forms
We are excited to announce that the Xamarin Forums are moving to the new Microsoft Q&A experience. Q&A is the home for technical questions and answers at across all products at Microsoft now including Xamarin!

We encourage you to head over to Microsoft Q&A for .NET for posting new questions and get involved today.

Store sensitive data

SteveRussellSteveRussell Member ✭✭✭

I have some sensitive keys that I want to have on my app, but I don't want to store them on the shared project for obvious reasons. On android, you can store keys in the .gradle file and read it from there. I want to do the same but for Xamarin Forms. Is there a way I can store it somewhere and access in the shared project?

Similar to https://github.com/sameerkapps/SecureStorage but I want to hardcode the keys and simply access them like on SecureStorage.

Answers

  • PatrickJelittoPatrickJelitto Member ✭✭✭

    @SteveRussell you can take a look at this similar thread: https://forums.xamarin.com/discussion/119715/how-to-store-sensitive-data-on-ios-android-using-xamarin
    maybe it can help you :) greets

  • ColeXColeX Member, Xamarin Team Xamurai

    The usage of SecureStorage is very simple ,what's the meaning of hardcode the keys ?

    Would you like create a Class for storing that keys?

    public class KeyClass
    {
        public static string key1;
        public static string key2;
         ....
         ////
    }
    

    SetValue - Stores the key and value.

    CrossSecureStorage.Current.SetValue(KeyClass.Key1, “1234567890”);
    

    GetValue - Returns the value for the given key. If not found, returns default value.

    var sessionToken = CrossSecureStorage.Current.GetValue (KeyClass.Key1);
    
  • SteveRussellSteveRussell Member ✭✭✭
    > @PatrickJelitto said:
    > @SteveRussell you can take a look at this similar thread: https://forums.xamarin.com/discussion/119715/how-to-store-sensitive-data-on-ios-android-using-xamarin
    > maybe it can help you :) greets

    Hi Patrick,

    I’m having the same problem, and James Lavery’s answer seemed like the best option but I’m not sure how to accomplish it. I’m pretty new
  • SteveRussellSteveRussell Member ✭✭✭
    > @ColeX said:
    > The usage of SecureStorage is very simple ,what's the meaning of hardcode the keys ?
    >
    > Would you like create a Class for storing that keys?
    >
    > public class KeyClass { public static string key1; public static string key2; .... //// }
    >
    > SetValue - Stores the key and value.
    >
    > CrossSecureStorage.Current.SetValue(KeyClass.Key1, “1234567890”);
    >
    > GetValue - Returns the value for the given key. If not found, returns default value.
    >
    > var sessionToken = CrossSecureStorage.Current.GetValue (KeyClass.Key1);

    This will be easy to retrieve by hackers. You can reverse engineer the app and find the string “key1”

    By hard code I mean store the key as a string in the shared project, instead of calling it from somewhere else (outside of the app). That’s why I wanted something similar to .gradle for Android Studio. I could store the key in .gradle and just call it anywhere using something like BuildConfig.key1

    My question is, is there a way I can store the key somewhere in my project and for it not to be easily visible when reverse engineered? And then just access it using CrossSecureSrorage.GetValue(“Key1”) or similar
  • ColeXColeX Member, Xamarin Team Xamurai
    edited May 2019

    is there a way I can store the key somewhere in my project and for it not to be easily visible when reverse engineered?

    You could create Encryption/Decryption for KeyClass , or store/get key with web service.

    However i think it's unnecessary, since SecureStorage itself is secure enough , we don't need to do extra stuff on accessing Keys.

  • SteveRussellSteveRussell Member ✭✭✭
    > @ColeX said:
    > is there a way I can store the key somewhere in my project and for it not to be easily visible when reverse engineered?
    >
    >
    >
    >
    >
    > You could creating Encryption/Decryption for KeyClass , or store/get key with web service.
    >
    > However i think it's unnecessary, since SecureStorage itself is secure enough , we don't need to do extra stuff on accessing Keys.

    How would I be able to store the key securely? The string is in my code as:

    public string SecretKey = “xxxxxxxxxxx”

    For user’s data like tokens, I use:

    CrossSecureStorage.Current.SetValue(“token”, user.token)

    But if I do the same for SecretKey it becomes redundant because they key is still visible, or am I missing something?:

    CrossSecureStorage.Current.SetValue(“Secret”,”xxxxxxxx”)
  • ColeXColeX Member, Xamarin Team Xamurai

    Create library with single class KeyClass , this is the only way i could think .

  • NMackayNMackay GBInsider, University admin

    Why not use Xamarin.Essentials?

  • Amar_BaitAmar_Bait DZMember ✭✭✭✭✭
    edited June 2019

    Answer is easy. NEVER store sensitive data/keys inside an app. Any app can be decompiled and read easily (even obfuscated).

    So you need to rethink your architecture. For eg. if you're storing an API key or any sort of credentials then you need a web server that acts as a proxy between you and the service you want to call.

  • SteveRussellSteveRussell Member ✭✭✭
    Are there any detailed tutorials for that? I’m sort of new to this approach. What would I need to achieve it?
Sign In or Register to comment.