[Security] Securing ClientID/ClientSecret in non-web apps

The Netatmo API is a set of webservices allowing developers and third parties to access Netatmo device's data.
Post Reply
s.djukic2
Posts: 1
Joined: 18 Jan 2018, 13:19

[Security] Securing ClientID/ClientSecret in non-web apps

Post by s.djukic2 » 18 Jan 2018, 13:28

Dear all,

I have a question regarding handling application credentials securely. If I understood the docs correctly, then if you are building a mobile app the would we be:
1) Register a new app => you get ClientID/ClientSecret generated
2) Create a mobile app => embed ClientID/ClientSecret in it
3) Ask the user for user/pass once and execute the client Client Credentials flow => store an authtoken
4) Invoke REST APIs with the authtoken (user/pass discarded)

So my question is this: you are basically required to embed your app's ClientID/ClientSecret in a mobile app, which is distributed to thousands of customers and is easily extractable - isn't this a fundamental security risk?

I'm not sure about the extent of harm that can be done, but at least a DoS attack could invalidate your application easily by invoking REST calls aggressively beyond the per-app limit.

Thoughts?

Thanks!
Sinisha

Post Reply

Return to “Netatmo API”