Not quite compose, but the question is in the context of desktop apps. What's the industry standard for securing data in JVM desktop apps, e.g. an authorization token?

I'd like to know that too. On JVM, I currently have a TODO implementation of just using java.util.prefs.Preferences and storing encrypted entries in it, but the issue is that I do not know how to derive a key securely such that only my app would be able to. On Android, you could rely on package manager to retrieve the signature of the running app at runtime, which is supposed to be... harder(?) from outside the app. And derive the key from the signature (and other data), which would at least give you assurance that only the app signed with the original signature can open the bundled encrypted file.

😅 your question is neither compose nor kotlin. 👎🏻

You're 100% right 😇

But desktop 🙂

You can always drive that from the backend, assuming the client can be compromised at any time. If the app is fully offline, probably derivative of the signing key used.

AFAIK the best you can do is use OS filesystem permissions and sandboxing (where available). There's no perfect solution though -- if another program has the ability to read your program's memory then it's all over. Personally, I just assume that any state my program saves to disk can be accessed by other tools (or the user themselves) and design with that in mind.

The backend can't handle everything though, especially an auth token, which essentially makes keeping things on the backend moot. On Android I can encrypt it with a key using the Android KeyStore and store it in the apps private filesystem and it feels much more secure.

I guess it depends what your threat model is. Do you trust the user, but are worried about malware? If so, you can't fully secure the secret. You could encrypt the secret yourself, but the decryption key will need to be stored somewhere. You could use an OS credential manager (e.g. keychain), but the secret will ultimately end up in your process's memory, which can be read by a debugger (or, generally, another app with elevated privileges). Do you not trust the user, e.g. want to prevent them from accessing the secret? In that case, there's really not a lot you can do. About the best you can do is use the OS credential manager and sandbox your app (if possible). That will at least make life more difficult.