Runtime Secrets vs Code Obfuscation?

Is it better to protect APIs by obfuscating them within the mobile application or moving API keys to a secure cloud and delivering them to the mobile application at runtime?

Protecting API keys is a critical aspect of mobile app security, and there are two primary approaches to safeguarding these keys: code obfuscation and runtime secrets. In this article, we'll explore these two methods and compare their effectiveness in protecting API keys. Both approaches have their pros and cons, and the choice depends on the specific use case and security requirements.

Code Obfuscation:

Code obfuscation is the process of modifying an app's source code to make it more difficult for attackers to reverse-engineer and extract sensitive information like API keys. This approach involves renaming variables, modifying control flow structures, and inserting dummy code to confuse attackers. Obfuscating API secrets within the mobile application can provide security by making it more difficult for attackers to discover and extract the secrets used to access the APIs, be them regular API keys, JWT tokens or any other form of secrets.

However, while code obfuscation can be an effective way to deter casual attackers, it is not foolproof. This approach is vulnerable with the use of open source tools to reverse engineer the mobile app binary to find and extract the API secrets. For example, with the use of the Mobile Security Framework as seen in the article How to Extract an API Key from a Mobile App by Static Binary Analysis, even a non-developer can extract high-value secrets.  Experienced attackers can also use reverse-engineering tools to analyze the code at runtime and discover more well hidden API keys. Lastly, code obfuscation will introduce direct and indirect costs to the development process and the ongoing maintenance of the underlying code base, but it's undeniable that it is an effective way of protecting your codes intellectual property (IP).

Runtime Secrets:

Runtime secrets involve storing sensitive information like API keys outside of the app's code, in a separate location like a configuration file or a server. When the app needs to use the API key, it retrieves it from the external location at runtime. Removing API keys from your mobile app code and relocating them within a secure cloud service and delivering them just-in-time for the mobile app to use to make the API request can provide a higher level of security.

This approach offers several advantages over code obfuscation. For one, the API keys are not present in the app's code, making them much more difficult to extract through reverse engineering. Additionally, runtime secrets make it easier to rotate API keys, as the app doesn't need to be recompiled or re-released through the iOS and Android app stores every time a key is changed. API access can also be restricted to genuine (unmodified) instances of  the mobile app and the cloud server can be configured to detect and restrict access from applications running on a compromised device, emulator or framework.  

However, runtime secrets do have some potential drawbacks. For one, the external storage location must be secured, or else an attacker could potentially gain access to the API keys. Additionally, retrieving the keys at runtime can introduce some performance overhead and runtime secrets requires additional software development for both the mobile app and for the secure cloud service to deliver the API secrets. Runtime secrets require effort to deploy the service on the secure cloud service (and maintenance to stay up to date with the latest security threats). The amount of expertise and effort to develop such a security solution isn't small and takes months to develop, years to perfect and a lot of continuous research to keep up with the pace of zero days and new forms of attack. Alternatively, you can take this same approach with an outsourced secure cloud service.

More information can be found in the article Hands-on Mobile App and API Security - Runtime Secrets Protection.

Comparing the Approaches:

When deciding between runtime secrets and code obfuscation, one must take into consideration the cost of being breached and it's impact on the business and its reputation in the short and long term. Traditionally the costs of a data breach in terms of fines, reputation, loss of customers and reduced profitability is much greater then the investment in adequate security solutions. All of this must be taken into the context including the likelihood of attack as well.

So, which approach is better for protecting API keys? Ultimately, it depends on the specific needs and constraints of the app. Code obfuscation can be a reasonable option for apps that don't handle highly sensitive information and are not likely to be targeted by determined attackers. However, for apps that need to protect sensitive data or are likely to be targeted, runtime secrets offer a more robust and secure solution.


Conclusion:

First it is worth noting that the two approaches are by no means mutually exclusive. In fact, many mobile apps use both code obfuscation and runtime secrets to protect intellectual property within the application and the API keys that grant access valuable data in the cloud. By combining these methods, developers can create a more robust and layered defense in depth against attackers.

Protecting API keys is crucial for ensuring the security of mobile apps. In summary, if security is a top priority and additional infrastructure is acceptable, moving API keys to a secure cloud service and delivering them to the mobile app at runtime is the more secure option. While code obfuscation can be a reasonable approach for deterring casual attackers, runtime secrets offer a more robust and secure solution for protecting sensitive data. Ultimately, the best approach will depend on the specific needs and constraints of the app. By carefully considering the options and implementing a layered defense strategy, developers can help ensure the security of their mobile apps.

In conclusion, Code Obfuscation is always a good fit for when you want to protect and defend the intellectual property of your code itself, but a poor fit if the value that your are trying to protect is accessed via APIs and is held in the cloud. To protect valuable data that is shared through a channel and secured by API keys, the best approach is to remove hardcoded secrets from the mobile app and to utilize runtime secrets provided by a secure cloud service.