mqudsi
commented
4 years ago Hi, no problem.
I’m using it in my iMessage for Windows 10 UWP app.
Closed dpaulino closed 4 years ago
mqudsi
commented
4 years ago Hi, no problem.
I’m using it in my iMessage for Windows 10 UWP app.
dpaulino
commented
4 years ago Good to know! One more question. I'm not very familiar with the world of encryption. how would I store the password to the key securely?
Here's my whole situation: I have a secret that I want to store securely using this library. I assume I'll create a password to encrypt this secret. But then when my uwp app is released and users use it, the app has to use the password to decrypt the secret right? Do I just hardcode the string password in the app? Or is there a more secure way to store it?
mqudsi
commented
4 years ago Storing your passwords/secrets in a client application distributed to users is always very ugly. SecureStore lets you encrypt and store that information in applications that you distribute safely, but you still have to decrypt those secrets, and when you do, they're no longer really in your control.
Depending on what these secrets/passwords protect and what your threat model is, it may still be an acceptable approach (and sometimes there is no alternative). Typically this is where heavily obfuscated code and memory representation of the secrets is used to thwart reverse engineering, etc. but for most apps it means you're actually doing something wrong and there's probably a better option available (e.g. per-user tokens/credentials, oauth, etc.).
What are you trying to do?
dpaulino
commented
4 years ago I'm trying to perform an OAuth 2.0 authentication to a service. I registered my app to that service, so my app has a client ID and a client secret. These two are required to start the OAuth 2.0 user authentication flow.
I was thinking of storing the client secret string in the app using your library. Do you have a recommendation for how to encrypt that secret with a password and securely store that password?
mqudsi
commented
4 years ago The client secret mode of OAuth should not be used except if running on a machine under your control (e.g. a web server). You see, even if you obscure the key wonderfully in your app, all a user has to do is run fiddler or wireshark and they can see the request you are making to the authentication servers that includes the client secret.
For an app, it is recommended to use OAuth2 with the PKCE extension which uses cryptographic permutations to verify identity rather than exchanging a client secret. You can read more about the different authentication modes available with OAuth and when you're able to use each.
You could also use OAuth2 in implicit mode (which has no secret at all), but that's not the recommended approach and is being phased out/deprecated.
dpaulino
commented
4 years ago Thanks for your information! I'll be reconsidering my authentication approach.
Sorry if this is the wrong place to ask, but I'm interested in using this in my uwp app. Any chance that you've tried this in uwp yet to see if there are issues? I was going to try it myself, but I wanted to check if uwp is already known to be unsupported