Ask HN: Client Secret at Android

Y	Hacker News new \| ask \| show \| jobs

	Ask HN: Client Secret at Android
	1 points by rajlalwani 4077 days ago
	Hello Fellow Hackers, For OAuth token from server for Mobile app, we need to pass Client Secret from Android (and iOS) app which can be compromised easily. I was wondering if you can share best practises to keep Client ID and Client Secret from getting exposed during reverse engg or decompilation. Cheers, Raj

1 comments

viraptor 4077 days ago

If the secret is valuable, someone will get it out. If it isn't, nobody will look. It's probably enough to just xor the bytes with something to stop the secret from showing up in `strings`, but otherwise... it's client app. You can't control it.

(it's still going to be visible in captured traffic after stripping tls)

link