How safe are credentials within the app?

Hey everyone. I’ve recently added “cloud save” support to my game using Parse.com and the nifty mod_parse Corona module. This requires that I embed my Parse REST API key within my game’s source code. 

This feels insecure to me. If someone were able to reverse engineer the API key from the .apk or .app, they’d be able to impersonate the app and CRUD data from my account. Granted, I’m not storing any sensitive data like credit cards, but I obviously don’t want anyone wiping out all my saved games for kicks.

I was able to find my key pretty easily by following these steps:

1. Rename the .apk to .zip and expand the archive

2. Run “grep -lr <mykey> *” on the newly expanded directory

3. Voila, the key was found in assets/resource.car

Any advice on how to mitigate this risk? I can’t imagine this problem is exclusive to Corona users of the Parse REST API. Any app that needs to authenticate against a remote service theoretically needs to embed some credentials within the client. 

OK I think I’ve found the answer to my own question: by using object-level ACLs, I can designate an object to be accessibly only to the user who created it. It’s like chowning a file. This means I’ll need to add support for Parse Users into my app, but hopefully that’s straightforward. 

I’m using Google App Engine as a backend with this approach:

• 1. Corona SDK-built app sends secret key to backend to create an account
• 2. Backend sends authentication token used as a user ID
• 3. App stores authentication token on app for future queries
• 4. User has option to link account with Facebook so they can use their account on multiple devices (Facebook provides a unique ID scoped to the app).

The secret key is obfuscated in the Corona app code to prevent brute-force DOS attacks by creating many accounts, but we also take steps on the backend to limit the damage that can be done even if the secret key is disclosed.

What’s important from a security perspective is that even if you have the secret key, all you can do is create a new account. With the authentication token, you can’t obtain any information about any other accounts or users.

Maybe this approach, or a similar one, will work for other folks.

OK I think I’ve found the answer to my own question: by using object-level ACLs, I can designate an object to be accessibly only to the user who created it. It’s like chowning a file. This means I’ll need to add support for Parse Users into my app, but hopefully that’s straightforward. 

I’m using Google App Engine as a backend with this approach:

• 1. Corona SDK-built app sends secret key to backend to create an account
• 2. Backend sends authentication token used as a user ID
• 3. App stores authentication token on app for future queries
• 4. User has option to link account with Facebook so they can use their account on multiple devices (Facebook provides a unique ID scoped to the app).

The secret key is obfuscated in the Corona app code to prevent brute-force DOS attacks by creating many accounts, but we also take steps on the backend to limit the damage that can be done even if the secret key is disclosed.

What’s important from a security perspective is that even if you have the secret key, all you can do is create a new account. With the authentication token, you can’t obtain any information about any other accounts or users.

Maybe this approach, or a similar one, will work for other folks.