Development and production secrets in one file

Hello,

I'm asking about AirShip properties file from the security perspective. The Getting Started guide says to put airship.properties file with the next strings: developmentAppKey, developmentAppSecret, productionAppKey and productionAppSecret. 

Having all these properties in one file might be a bad idea as the properties file is included in the apk. So the hacker can extract secrets of all environments. 

That's why I have two questions:
1. Is it safe to keep the airship.properties file in app/git repository? What can happen if the keys and secrets got compromised?
2. What are the possible ways to keep these properties secure?

Thanks.

Didn't find what you were looking for?

New post

Comments

1 comment

  • Hello,

    This is Eric from Airship Technical Support. We have a good write up here about our keys and their limitations: https://docs.airship.com/guides/messaging/user-guide/admin/security/app-keys-secrets/

    1. It would be good to add it to your gitgnore file if your repository is going to be public. The doc link above it discusses Tag and Named user changes that the SDK can do with these keys, but that is the extent of modifications that the Appkey and App Secret can do. You would need the Master Secret to do any major modifications to a project via the API. If you believe your keys have been compromised you can reach out to support@airship.com and we can refresh your App Secret and Master Secret.

    2. We don't have any specific recommendations around securing these keys since the system was designed around them being less secure. The other option you do have is to set the key values directly in the config object before it is passed to takeOff()

    Thank you,

    Eric L.
    Technical Support Engineer
    Airship Group | Apptimize | Portland

    Comment actions Permalink
    0

Please sign in to leave a comment.