So this is more of a general practice question:
A ...
# multiplatformh
Harnick
03/13/2023, 3:38 PMSo this is more of a general practice question:
A music application I'm working on requires the use of a user token for verification with a third-party service. Obviously it's best to encrypt this in local storage, but I'm struggling to think of implementations with shared key storage in the context of symmetric encryption.
In Android, Keystore functions allow you to store the shared key (more) securely. Outside of that, the only way to access them in an application's data folder is via a process with root privileges, which can't commonly be created on a user's end.
In Linux, I believe you can use the Secret Service API via D-Bus' libsecret if you're compiling to Kotlin/JS? That supports KDE and GNOME, I don't know if it supports other environments, like XFCE/LXQT/etc.
I'm not experienced with Apple products at all, so I can't give any thoughts on that front.
In Windows, I'm sure there's some old implementation that corrupts itself every 30 minutes, but I can't think of one.
Regardless of all that, KeePass seems to be the only cross-platform example available for storing keys, and I'm finding it hard to visualise a universal approach to storing a key.
I guess I could use a key derivation function, and ask the user for a password on each login, but that seems excessive for what the application is.
Does anyone have any thoughts?
d
Daniel Seither
03/13/2023, 3:46 PMOn Apple platforms, the best place to store app secrets is in the keychain.
h
Harnick
03/13/2023, 3:47 PMThanks. I knew they had something, but I've almost never visited Apple's developer documentation before, so I wouldn't have known where to start.
s
Sam
03/13/2023, 5:03 PMI'd advise not using the keychain APIs directly. I'd use this library, it makes things considerably easier https://github.com/square/Valet
Sam
03/13/2023, 5:04 PMI then use this on android and expose a common interface to the KMM common code so that it can store and retrieve values without having knowledge of the underlying tech https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
h
Harnick
03/13/2023, 5:04 PMAh okay. I would have thought Keychain was easier to work with than KeyStore.
s
Sam
03/13/2023, 5:05 PMKeystore is for android, keychain for iOS 😇
h
Harnick
03/13/2023, 5:06 PMI know, I just mean I wouldn't have thought iOS' implementation would have been so difficult to work with that a supporting library would use the line "It’s easy. We promise." 😅
Harnick
03/13/2023, 5:08 PMI moved away from SharedPrefs as it isn't type-safe. At the moment, I'm writing the IV and Cipher an SQL file for user data with Room.
s
Sam
03/13/2023, 5:09 PMAhhh sorry I'm with you. Yeah fair, I still use shared Prefs but I only ever really store Auth tokens and a few bits and bobs like that, never much data
h
Harnick
03/13/2023, 5:11 PMI tried using it for settings, but realised it doesn't support migration, so pretty much everything I need to store gets chucked into Room Daos lol
21 Views