Hi, We can use Dynamic Client Registration[1] to get a ClientKey and a ClientSecrete. The advantage here is that different instances of the same application will have different ClientKey and ClientSecrete. With this we can identify each installation.
Dynamic Client Registration has a registration endpoint which requires an initial token. The initial token can be obtained using basic authentication, then the client can use that initial token to register itself at the EMM and get the ClientKey + ClientSecrete. Once the client has received the ClientKey and ClientSecrete, it should store it securely. [1]- http://openid.net/specs/openid-connect-registration-1_0.html On Thu, Apr 17, 2014 at 2:52 PM, Harshan Liyanage <[email protected]> wrote: > I think we could use a technique like "*Image Steganography[[1]*" to > store consumer key/secret inside the application so it would be difficult > to hack. For the image we can use something like application logo so it > won't get much attention. On the otherhand we could modify the > steganography algorithm and make it much more secure. > > [1]. http://en.wikipedia.org/wiki/Steganography > > Best Regards, > > Lakshitha Harshan > Software Engineer > Mobile: *+94724423048* > Email: [email protected] > Blog : http://harshanliyanage.blogspot.com/ > *WSO2, Inc. :** wso2.com <http://wso2.com/>* > lean.enterprise.middleware. > > > On Thu, Apr 17, 2014 at 2:21 PM, Chathura Dilan <[email protected]>wrote: > >> if it is unique to the app, there could be another security issue. >> Someone can get our source and authenticate himself with his app, and they >> are able to download the key from the server. >> >> >> On Thu, Apr 17, 2014 at 2:12 PM, Chathura Dilan <[email protected]>wrote: >> >>> Is consumer/secret key unique to a user or is it unique to the app? >>> >>> >>> On Thu, Apr 17, 2014 at 12:20 PM, Chan <[email protected]> wrote: >>> >>>> +1 to the idea since basic auth will be first used to obtain the >>>> consumer secret. But we might have to change the flow from how it usually >>>> work. >>>> >>>> Cheers~ >>>> >>>> >>>> On Thu, Apr 17, 2014 at 12:17 PM, Kasun Dananjaya Delgolla < >>>> [email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> We're going to protect all the API calls from EMM client side using >>>>> OAuth. >>>>> >>>>> I have a concern whether to store the consumer key/secret inside the >>>>> EMM Agent Application or making it dynamic. We can actually send those 2 >>>>> when the user authenticates from the mobile client (As the response), and >>>>> then we can store it inside a private preference (Which is application >>>>> private). >>>>> >>>>> I see this as the safest way because keeping it hardcoded in the >>>>> source or a file might be extremely easy to hack. So WDYT? >>>>> >>>>> Regards, >>>>> -- >>>>> Kasun Dananjaya Delgolla >>>>> >>>>> Software Engineer >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> Tel: +94 11 214 5345 >>>>> Fax: +94 11 2145300 >>>>> Mob: + 94 777 997 850 >>>>> Blog: http://kddcodingparadise.blogspot.com >>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>> >>>>> >>>>> >>>>> -- >>>>> Kasun Dananjaya Delgolla >>>>> >>>>> Software Engineer >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> Tel: +94 11 214 5345 >>>>> Fax: +94 11 2145300 >>>>> Mob: + 94 777 997 850 >>>>> Blog: http://kddcodingparadise.blogspot.com >>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Chan (Dulitha Wijewantha) >>>> Software Engineer - Mobile Development >>>> WSO2Mobile >>>> Lean.Enterprise.Mobileware >>>> * ~Email [email protected] <[email protected]>* >>>> * ~Mobile +94712112165 <%2B94712112165>* >>>> * ~Website dulitha.me <http://dulitha.me>* >>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>> *~Github @dulichan <https://github.com/dulichan>* >>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> Chatura Dilan Perera >>> *(Senior Software Engineer - WSO2 Inc.)* >>> www.dilan.me >>> >> >> >> >> -- >> Regards, >> >> Chatura Dilan Perera >> *(Senior Software Engineer - WSO2 Inc.)* >> www.dilan.me >> > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Suresh Attanayake Senior Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Web : http://www.ssoarcade.com/ Facebook : https://www.facebook.com/IdentityWorld Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : +94755012060 Mobile : +016166171172
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
