use of clientSecret: "a_very_secret_encryption_key" ?

[charlesmccann]

Could you provide a little more detail in the README regarding the use of the clientSecret? I'm guessing this key needs to be protected and probably stored securely... recommendations would be nice.

[mjwheatley]

The clientSecret is used to generate the encryption token that is returned upon successful fingerprint authentication. return mCipher.doFinal(mClientSecret.getBytes());

Yes, the client secret should be passed in at runtime when compiling your application. This is a plugin that can be used by several frameworks, not all of which I have experience with, so I can not really provide recommendations for them all.

I use this plugin with the MeteorJS framework. When building for production I pass in a settings.json file that contains all my API credentials. These are only available via process.env so they would not be able to be harvested from the application bundle.

What framework are you using this plugin with?

[charlesmccann]

I'm using just HTML5 and JavaScript with Phonegap / Cordova. No frameworks (yet). At the moment, I'm not sure how to accomplish passing something in at runtime and not bundled with the app -- besides making an AJAX call out to another system.

Thanks for the information!

[Slumber86]

Is not unsafe to place the encryption key inside js files? they can be easily decoded. In .class is better but I think that until the whole archive is encrypted the key is not safe