Remove From My Forums

Store Client Secret in App

Question
0

Sign in to vote

Hi,

I am building a Windows Store App which provides users to authenticate themselves via authentication Yammer. I am presently storing both client ID and client secret so that I can pass them while making Oauth authentication.

However I realize that keeping client secret in the app may be dangerous as they could be misused.

How do I keep my credentials secure and retrieve the same.

I am developing the application in C#.

Tuesday, January 7, 2014 11:27 AM

Answers

0

Sign in to vote
The only way to truly keep a secret a secret is to never store it (a fundamental truth of security).

You can use the password vault which allows the OS to better maintain these secrets however:

http://blogs.msdn.com/b/jpsanders/archive/2013/06/24/use-passwordvault-to-store-your-tokens-windows-azure-mobile-services.aspx

Note if you want to be able to get the password in code you need to call RetrievePassword first:

http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordcredential.retrievepassword.aspx
Jeff Sanders (MSFT)

@jsandersrocks - Windows Store Developer Solutions @WSDevSol
Getting Started With Windows Azure Mobile Services development? Click here
Getting Started With Windows Phone or Store app development? Click here
My Team Blog: Windows Store & Phone Developer Solutions
My Blog: Http Client Protocol Issues (and other fun stuff I support)
- Proposed as answer by Jeff SandersMicrosoft employee, Moderator Tuesday, January 7, 2014 1:10 PM
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:09 PM

Moderator
0

Sign in to vote
The real question is, how secure do you need it to be? Protected from decompilation? Protected from in-memory analysis? There's no perfect solution here. You have one of two choices:

1) Encrypt the secret and keep it in isolated storage, then decrypt as needed

2) Download the secret from a secure server for use as needed.

For a really technical hacker bound and determined to get that secret, I don't think either is going to stop him, but it will stop most people.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:10 PM

Moderator

All replies

0

Sign in to vote
The only way to truly keep a secret a secret is to never store it (a fundamental truth of security).

You can use the password vault which allows the OS to better maintain these secrets however:

http://blogs.msdn.com/b/jpsanders/archive/2013/06/24/use-passwordvault-to-store-your-tokens-windows-azure-mobile-services.aspx

Note if you want to be able to get the password in code you need to call RetrievePassword first:

http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordcredential.retrievepassword.aspx
Jeff Sanders (MSFT)

@jsandersrocks - Windows Store Developer Solutions @WSDevSol
Getting Started With Windows Azure Mobile Services development? Click here
Getting Started With Windows Phone or Store app development? Click here
My Team Blog: Windows Store & Phone Developer Solutions
My Blog: Http Client Protocol Issues (and other fun stuff I support)
- Proposed as answer by Jeff SandersMicrosoft employee, Moderator Tuesday, January 7, 2014 1:10 PM
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:09 PM

Moderator
0

Sign in to vote
The real question is, how secure do you need it to be? Protected from decompilation? Protected from in-memory analysis? There's no perfect solution here. You have one of two choices:

1) Encrypt the secret and keep it in isolated storage, then decrypt as needed

2) Download the secret from a secure server for use as needed.

For a really technical hacker bound and determined to get that secret, I don't think either is going to stop him, but it will stop most people.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.
- Marked as answer by Matt SmallMicrosoft employee, Moderator Thursday, January 9, 2014 1:24 PM
Tuesday, January 7, 2014 1:10 PM

Moderator

Answered by:

Store Client Secret in App

Question

Answers

All replies