How to store sensitive data on iOS / Android using Xamarin?

I have an application in which I have to store some sensitive configuration data (api url, analytics keys etc.). First idea was to store all of the information in XML file and read from it during app initialization phase. Unfortunately this is no longer the case because when I extracted the .ipa/.apk files I managed to find the config.xml file which was embedded as a resource after further extraction of the .dll.

It can be easily solved for Android by "embedding assemblies in native code" which generates .so and config file is no longer easily accessible, however iOS's .ipa file is still accessible and open for simple reverse engineering.

Do you guys have any idea how I could make sure this config is secured at some point? Or maybe you know some good practices regarding storing such data on Xamarin platform?

I was hoping to use some obfuscation tools like Babylon or Dotfuscator but I'm working on MacOS and they are not supporting this OS.

Answers

  • Steve1000Steve1000 Member ✭✭

    I was looking into this as well and came across the Xamarin.Auth module which lets you store items in the built-in Keychain in iOS and I believe the equivalent for Android - would that work?

    Was planning to use this approach for similar usecase to store access tokens, etc.

  • seanydaseanyda GBMember ✭✭✭✭✭

    @Steve1000 said:
    I was looking into this as well and came across the Xamarin.Auth module which lets you store items in the built-in Keychain in iOS and I believe the equivalent for Android - would that work?

    Was planning to use this approach for similar usecase to store access tokens, etc.

    Yeah, Xamarin.Auth would work here. It uses Androids KeyStore and iOS Keychain to store the information securely.

    Read the documentation about it here:
    https://github.com/xamarin/Xamarin.Auth/blob/master/docs/readme.md

    But looks like this is all it takes -

    AccountStore.Create ().Save (eventArgs.Account, "Facebook");
    
  • SagarPanwalaSagarPanwala USMember ✭✭✭

    @seanyda : this is still not clear to me. As I have to hardcode base rest api url in code, so I can use it on Rest Call. Now if I decompile the build, I'm able to get the url and I can get data from it. So I want to hide or encrypt url so after decompile, it won't shows up.

  • JamesLaveryJamesLavery GBBeta, University ✭✭✭✭✭

    Store the URL in a configuration file, and load it at runtime - so that the url is not in code and visible hen decompiled.

    Of course, if someone roots the device they can then probably get the configuration file and get your secret.

    So the next step is to encrypt the configuration file, and then read/decrypt the contents at runtime. This is still ultimately crack-able if someone decompiles your code to find the decryption code, incorporates that code into a console/utility app, and then passes the encrypted file through this app.

    However, both the above approaches avoid having secrets in the code.

Sign In or Register to comment.