There is no secure key store, but a secure key store wouldn't help here. Anything you do in the client/app is going to be obfuscation[1]. The standard solution to this type of thing is for your app to have a server component that keeps your API key secret.
However, you still run into the problem that the server really can't know whether the connections being made to it are from your app running your code or some code that's derived from your app trying to act like your app to get API calls for free[1]. But by keeping the API key on the server your server logic can do things to rate-limit clients making calls, make sure the calls are in keeping with what the app would do and blacklist bad IP's/subnets, etc. Andrew 1: The exception is If a trusted-computing stack is in play that can generate cryptographic attestations. But that is not something Firefox OS devices have or Firefox OS has. On Thu, Jul 23, 2015, at 11:35 PM, Shing Lyu wrote: > Hi, I stumbled upon a problem while developing apps on my > foxfooding phone. > > My app needs to access an API, which requires an API token (charges to > my account.) However, if I write it directly in the JS file, everybody > can easily see it by getting my package.zip or use a WebIDE console. > Is there any secure way I can store the API token (and any other > sensitive data) on Firefox OS? I expect the system should provide some > secure key store, does that make sense? Thank you. > > Regards, Shing Lyu QA, Mozilla Taipei > _________________________________________________ > dev-b2g mailing list [email protected] > https://lists.mozilla.org/listinfo/dev-b2g
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
