How safe are "secret" keys in Windows 8 (WinJs) apps?

Question

I'm doing a hobby project Windows 8 app in WinJS. As I'm calling an external api, which requires an api key and oauth authentication, I've got a number of keys that I need to keep "secret".

I've seen places around the web with detailed descriptions on how to get access to and also modify the source code for WinJs (and C#) apps on your computer. But I think those were in the beta/preview time frame?

My Google skills don't seem to be able to tell me if this has been fixed since, does anyone know?

If it wasn't fixed, how do people handle these situations?

Any tips and suggestions welcome :)

Answer 1

You have a couple options here.

1. Integrate Azure Mobile Services and have it do the oAuth if possible. Your keys remain secret in the cloud.
2. Store the main key encrypted in your WinJs application. The secret then is also encrypted and stored locally. I use https://github.com/cauld/winjs-oauth-for-twitter and have a slight revision that when I get the key back I store it in the credential manager.

Any local application compiled from any computer language can be tampered with, all you need is a debugger. If you encrypt everything I in theory can just load up a debugger, attach to the http stack library and watch the data go out (excluding even easier techniques like Fiddler to watch this data) and extract whatever I want - fairly easily. So the question is what are you trying to prevent?