Page 1 of 1

[Security] Securing ClientID/ClientSecret in non-web apps

Posted: 18 Jan 2018, 13:28
by s.djukic2
Dear all,

I have a question regarding handling application credentials securely. If I understood the docs correctly, then if you are building a mobile app the would we be:
1) Register a new app => you get ClientID/ClientSecret generated
2) Create a mobile app => embed ClientID/ClientSecret in it
3) Ask the user for user/pass once and execute the client Client Credentials flow => store an authtoken
4) Invoke REST APIs with the authtoken (user/pass discarded)

So my question is this: you are basically required to embed your app's ClientID/ClientSecret in a mobile app, which is distributed to thousands of customers and is easily extractable - isn't this a fundamental security risk?

I'm not sure about the extent of harm that can be done, but at least a DoS attack could invalidate your application easily by invoking REST calls aggressively beyond the per-app limit.