Geek Answers Handbook

Where to store OAuth client credentials on Android

I have an Android app that interacts with WebAPI through OAuth protection. To get the access token, I need to send the OAuth credentials (i.e. client ID and client secret) in the request header. My question is: where should I store these 2 values ​​(client ID and client secret) so that the application can use it when necessary. Currently, I just encoded it in a call. Is it safe to store them in strings.xml?

+4
source share
3 answers

Please share with pref users to store protected data, because if any other development engineer receives hard-coded strings .shared pref is a safe place where you can store data.

+2
source

If you are concerned about security, you can save the data in SharedPreference by encrypting and saving the encryption keys in Android Keystore.

Keystore is not used directly to store application secrets, such as a password, but it provides a secure container that applications can use to store their private keys, which is quite difficult for malicious (unauthorized) users and the application to extract.

. http://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/

+1

No, it is not safe to store in strings.xml. Use instead SharedPreferences. For example:

SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(context);

and then save your client id and client secret as follows:

sharedPreferences.edit()
.putString("client_id", "your_client_id")
.putString("client_secret", "your_client_secret")
.apply();

To return the client ID and client secret from SharedPreferences:

String clientId = preferences.getString("client_id", "No ID");
String clientSecret = preferences.getString("client_secret", "No Secret");
-2
source

More articles:


All Articles