Secure ways of storing client_id's and client_secret's on android app

In my app, I need to pass client_id and client_secret to make my API calls.

What is the most secure way of storing client_id and client_secret's on the android app?

I have read about SharedPreferences and I am sure they are not secure. Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?

Thanks
R

Mobile OAuth Authorization flow

> In my app, I need to pass client_id and client_secret to make my API calls.

It seems to me that you are not using the correct OAuth authorization flow in your mobile app because the one you are using now requires the client_secret. I think you may be trying to use the flow meant for m2m(machine to machine) authorization.

The correct flow to use for a mobile app is the Authorization Code Flow with Proof Key for Code Exchange (PKCE).

From auth0.com/docs:

> The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

You can read that this is the recommended approach in the OAuth 2.0 RFC8252 for Native Apps, that is about the best practices for mobile apps:

> ### Abstract
>
> OAuth 2.0 authorization requests from native apps should only be made
> through external user-agents, primarily the user's browser. This
> specification details the security and usability reasons why this is
> the case and how native apps and authorization servers can implement
> this best practice.
>
> ### Status of This Memo
>
> This memo documents an Internet Best Current Practice.
>
> This document is a product of the Internet Engineering Task Force
> (IETF). It represents the consensus of the IETF community. It has
> received public review and has been approved for publication by the
> Internet Engineering Steering Group (IESG). Further information on
> BCPs is available in Section 2 of RFC 7841.
>
> Information about the current status of this document, any errata,
> and how to provide feedback on it may be obtained at
> https://www.rfc-editor.org/info/rfc8252.

Securely storing secrets in the mobile app

> What is the most secure way of storing client_id and client_secret's on the android app?
> Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?

Yes, the Android Keystore is the correct way to go. You can use it from the Android Security Library to store your secrets but bear in mind that an attacker can use an instrumentation framework to hook at runtime into the code that uses the client_id and client_secret already decrypted and extract them for use outside of your mobile app. A popular instrumentation framework used for this propose is Frida:

> Inject your own scripts into black-box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

I invite you to read my answer to the question Store Client Certificate and key (.pem) in Android securely to see more details about using the Android Keystore with the security library, and the answer includes some code examples.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation:

OWASP Mobile Security Project - Top 10 risks

> The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

> The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

The best approach is to use Android's Keystore. It will handle the key generation, storage for you. Your app will be communicating through KeyChain API which offers the following advantages:

• It performs all the cryptography for you
• Hard to extract from device
• Each app can only access their own keys (enforced by Keystore)

Securing the user's secrets in a keychain