How to store sensitive data on iOS / Android using Xamarin?

I have an application in which I have to store some sensitive configuration data (api url, analytics keys etc.). First idea was to store all of the information in XML file and read from it during app initialization phase. Unfortunately this is no longer the case because when I extracted the .ipa/.apk files I managed to find the config.xml file which was embedded as a resource after further extraction of the .dll.

It can be easily solved for Android by "embedding assemblies in native code" which generates .so and config file is no longer easily accessible, however iOS's .ipa file is still accessible and open for simple reverse engineering.

Do you guys have any idea how I could make sure this config is secured at some point? Or maybe you know some good practices regarding storing such data on Xamarin platform?

I was hoping to use some obfuscation tools like Babylon or Dotfuscator but I'm working on MacOS and they are not supporting this OS.

Answers

  • Steve1000Steve1000 Member ✭✭

    I was looking into this as well and came across the Xamarin.Auth module which lets you store items in the built-in Keychain in iOS and I believe the equivalent for Android - would that work?

    Was planning to use this approach for similar usecase to store access tokens, etc.

  • seanydaseanyda GBMember ✭✭✭✭✭

    @Steve1000 said:
    I was looking into this as well and came across the Xamarin.Auth module which lets you store items in the built-in Keychain in iOS and I believe the equivalent for Android - would that work?

    Was planning to use this approach for similar usecase to store access tokens, etc.

    Yeah, Xamarin.Auth would work here. It uses Androids KeyStore and iOS Keychain to store the information securely.

    Read the documentation about it here:
    https://github.com/xamarin/Xamarin.Auth/blob/master/docs/readme.md

    But looks like this is all it takes -

    AccountStore.Create ().Save (eventArgs.Account, "Facebook");
    
Sign In or Register to comment.