Hi Guys , My back-end team are adding a feature to add an api-key to our http endpoints for security reasons . Now this key can be anything , as in it is completely on us what key we decide to use . So I was thinking how about using my apps signing certificates using

PackageManager.GET_SIGNING_CERTIFICATES

so I do not have to store it any where in my codebase as anything can be reverse engineered. Is this method secure or can any hacker figure out my SIGNING_CERTIFICATES as well ?

Nothing on a device controlled by an attacker is secret.

So what would be the most secure way of storing api keys ? people are saying using JNI with C++ .

There's none. It's not possible to store something on a device without having the owner of the device be able to find what it is.

Yes , I agree . But there must be some approaches that can make it hard for the attacker .

It's possible to make it harder, sure. But do you want a secret or a mostly secret.

I am sorry I do not follow

It's either possible for an attacker to get it, in which case it's not a secret, or it's impossible.

But you are saying the second part , i.e it being impossible is not possible 😄

Well it's not possible to hide something from the owner of a device.

Event if its not a rooted device ?

If you store secrets server-side, an attacker can't steal them

But how will front-end use those secrets ?

How do you check it's not a rooted device? A rooted device can lie about anything. May be hard, but it's never impossible.

So we are back to square 1 then

It's simple: if you have a secret, never give it to the attacker. Sending it to a device they own counts as giving it to them.

Thanks for the help .

With regards to API keys specifically, they're even easier to access: just setup a proxy and inject the fake certificate into the device, and you can listen in on all traffic (and read all credentials)

Ohk , is there a way Back-End can verify that this API call is coming from our own APK which is installed from Playstore ?

No. You can ask the app to send its signature and check it, but an infected app can lie and send the real signature.

Certificate pinning only works if you can trust the user cannot unpin it. It's more complicated, but they can do it.

So the end goal is just that my Backend needs to know whether this call was made from a valid android phone and not a script , api keys seemed like one option but if there are other options I am open to them , this firebase app check sounds promising , will check it out

(also using tools like this is borderline unethical, you're forbidding a user to do what they want with a machine they bought themselves and own, just because you don't want them to know secrets you put on a device they own? It's their device, not yours)

Yes , but the endpoind to send OTP imdoes not have any token so there is no check on that and someone is generating random phonenumbers and spamming that endpoint

ratelimit IPs?

in most of the cases the security should be handled by the server side, you can't do much to protect the app data on the phone If a user is authenticated on their phone, why not let them do whatever they want? If they can do sth harmful, it is the responsibility of the server to prevent it there is another problem: when a phone is stolen, then a user is authenticated with a different account. But it is not your responsibility to handle this kind of cases