Answered by:
Store Client Secret in App

Question
-
Hi,
I am building a Windows Store App which provides users to authenticate themselves via authentication Yammer. I am presently storing both client ID and client secret so that I can pass them while making Oauth authentication.
However I realize that keeping client secret in the app may be dangerous as they could be misused.
How do I keep my credentials secure and retrieve the same.
I am developing the application in C#.
Tuesday, January 7, 2014 11:27 AM
Answers
-
The only way to truly keep a secret a secret is to never store it (a fundamental truth of security).
You can use the password vault which allows the OS to better maintain these secrets however:
Note if you want to be able to get the password in code you need to call RetrievePassword first:
Jeff Sanders (MSFT)
@jsandersrocks - Windows Store Developer Solutions @WSDevSol
Getting Started With Windows Azure Mobile Services development? Click here
Getting Started With Windows Phone or Store app development? Click here
My Team Blog: Windows Store & Phone Developer Solutions
My Blog: Http Client Protocol Issues (and other fun stuff I support)- Proposed as answer by Jeff SandersMicrosoft employee, Moderator Tuesday, January 7, 2014 1:10 PM
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:09 PMModerator -
The real question is, how secure do you need it to be? Protected from decompilation? Protected from in-memory analysis? There's no perfect solution here. You have one of two choices:
1) Encrypt the secret and keep it in isolated storage, then decrypt as needed
2) Download the secret from a secure server for use as needed.
For a really technical hacker bound and determined to get that secret, I don't think either is going to stop him, but it will stop most people.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.
NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:10 PMModerator
All replies
-
The only way to truly keep a secret a secret is to never store it (a fundamental truth of security).
You can use the password vault which allows the OS to better maintain these secrets however:
Note if you want to be able to get the password in code you need to call RetrievePassword first:
Jeff Sanders (MSFT)
@jsandersrocks - Windows Store Developer Solutions @WSDevSol
Getting Started With Windows Azure Mobile Services development? Click here
Getting Started With Windows Phone or Store app development? Click here
My Team Blog: Windows Store & Phone Developer Solutions
My Blog: Http Client Protocol Issues (and other fun stuff I support)- Proposed as answer by Jeff SandersMicrosoft employee, Moderator Tuesday, January 7, 2014 1:10 PM
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:09 PMModerator -
The real question is, how secure do you need it to be? Protected from decompilation? Protected from in-memory analysis? There's no perfect solution here. You have one of two choices:
1) Encrypt the secret and keep it in isolated storage, then decrypt as needed
2) Download the secret from a secure server for use as needed.
For a really technical hacker bound and determined to get that secret, I don't think either is going to stop him, but it will stop most people.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.
NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:10 PMModerator