My app is talking to api with HMAC Authentication (Hash-based Message Authentication Code). Here App need to securely store APP Id and shared secret key. If someone gets hold of this information can mimic the api request.
Is there a way I can store App Id and shared secret key securely inside IONIC app? I saw some people talking about keychain in IOS. Is it secure way? And what about android?
anybody having knowledge on this?
There is no way to do that with bundled app as the js can be read easily. I have done it like this in my app:
-
At first run, call the server side function and get the data configs
-
Store that data configs in sqlite and encrypt sqlite using a cypher (google it)
-
Use the data stored in sqlite.
The data is not easily available for anyone to hack as it is encrypted. When the user uninstalls the app, data is removed. If anyone unzips the apk file, or sees the package contents on ios, they cannot read the sensitive info as it is not stored in the js.
1 Like
Hi Gaurav, Thanks for reply.
Your server api where you get the config, is it secure? In my case, app is open and no login required. So if i keep my api open, anybody can get config. If I implement token based (fixed token) or any other form of authentication, again issue is how to store token or keys for authentication.
Also, when you encrypt your data, where do you store the key for encryption? that also needs to be stored securely i believe.