Protect API key in App

[sync-by-unito]

┆Issue is synchronized with this Asana task by Unito
┆Created By: James Chien

[sync-by-unito]

➤ Sam commented:

James Chien, I was going through my old tasks and Get proposed solution from Ionic ( https://app.asana.com/0/0/1202516018160176 ) is one of them.

How our API key got exposed form the capture app? As my understanding capture app is bundled and run from App/Play Stores there is no way to use chrome dev tools to inspect API keys.

So how our API key got exposed?

Bofu Chen asked "best practice to protect API keys in APP" and Ionic team suggested backend first solution is better Comment by @BoFu Chen on Get proposed solution from Ionic ( https://app.asana.com/0/0/1202516018160176/1202516139729392/f ).

But if I can get more information on this task i can ask GPT and see whats possible in our case.

[sync-by-unito]

➤ James Chien commented:

There are mainly 2 approaches, and I just test them, the API key is truly vulnerable from reverse-enginerring and attacks.

Method #1: Uncompress apk and find the key in source code

Step 1: Get APK

Although you can't directly choose to download an apk from Play store, there are services like Download Capture latest 0.77.2 Android APK (apkpure.com) ( https://apkpure.com/capture-only-true-photos/io.numbersprotocol.capturelite/download ) that enables any user to download App as apk.

Step 2: Uncompress

Use unzip or other tools to uncompress apk.

Step 3: reverse-engineer and get API key

Js code can only be uglified, not compiled into binary, so this part won't be too difficult.

I found the API key in assets/public/main.8b9b91d1eaed5e25.js, in the uncompressed file.

Method #2: Use proxy monitoring tool to read request headers

Step 1: Install Proxy tool

1. Download and install Charles Web Debugging Proxy • HTTP Monitor / HTTP Proxy / HTTPS & SSL Proxy / Reverse Proxy (charlesproxy.com) ( https://www.charlesproxy.com/ )
2. Open CharlesProxy, in Proxy → SSL Proxying Settings → enable SSL proxying

Step 2: Install Charles root certificate on iOS

1. On iPhone, install Charles root certificate from https://chls.pro/ssl ( https://chls.pro/ssl )
2. Open Settings → install certificate
3. Open Settings → About → Certificate Trust Settings → enable for Charles root certificate

Step 3: Prepare environment

1. Connect both iPhone and the debugging machine (the machine that has CharlesProxy installed) to the same Wifi.
2. Get the LAN IP of the debugging machine. For example 192.168.1.10
3. On iPhone, in Settings → Wifi → → Proxy settings → Manual → set server to 192.168.1.10, port 8888 (Charles default port)

Step 4: Monitor requests and try different actions

1. The iOS network requests are now all exposed in the debugging machine, in the Charles Proxy tool. The user can try to use the Capture App, filter dia-backend.numbersprotocol.io ( https://dia-backend.numbersprotocol.io ) reqeuests.
2. Eventually user will discover the x-api-key header sent in create user request

The attached screenshot is what I got in the Charles Proxy tool. I censored the whole API key, but you can see from the prefix this is the API key used for Capture production app.

[sync-by-unito]

➤ James Chien commented:

For method #1 attack, this is probably what we need Ionic's advice for. We need a secured way to bundle the API key in the app, not directly accessible in the uglified JavaScript if user uncompresses the apk.

For method #2 attack, we might need to consider certificate pinning or public key pinning, but this part might need more survey.

[sync-by-unito]

➤ Sam commented:

James Chien, thank you for your feedback. I learned a lot from your examples. I think it's not simple task.

Tammy Yang, (cc: Bofu Chen) should we ask ionic team (aka renew subscription)?

[sync-by-unito]

➤ Bofu Chen commented:

What's the suggestion from ChatGPT or Bard?

Compared to the delivered value, the Ionic enterprise service is relatively expensive. We will not renew the contract with them.

[sync-by-unito]

➤ Tammy Yang commented:

Let's survive without Ionic team 🙂. We create our own values.