Security of "app_secret"

[daniel-kun]

Dear app center docs team,

I have feedback regarding the section "Protect the App Center secret value".

I think that the section could be rephrased to clearly - and in easy to understand terms - state the technical facts:

• First of all, and most importantly: It is technically not possible to transfer your app_secret to the device of your users without those users being able to retrieve it. Even on iOS, which is a very locked-down system, it is possible (and not even so difficult) to extract the app_secret from your app, no matter what you do. This is not a limitation of App Center Analytics, but a limitation of the fundamental concepts of operating systems and app distribution systems.
• That said, it is technically possible for everyone to extract that app_secret and send analytics data to your analytics "bucket" without limitation, and without you being able to distuingish it from "real" analytics data.
• You can try to find out whether this is the case by looking for suspicious patterns in your data. If you find such suspicios patterns, you have to: a) generate a new app_secret and render the old app_secret useless. b) redeploy your app with the new app_secret. It is important to note that your "old" app will not be able to send analytics until the end-user has updated to the new version.
• It is impossible for anyone with the app_secret to retrieve the analytics data. The access is "write-only" (at least, I hope this is the case :-))
• If you don't want to include your app_secret in your code base - so that every developer that has read-access to the code base can more easily extract it than it would be to extract from the final app image - you can use use CI/CD environment variables to import it into your code base with means of your programming language and CI/CD environment.

If I am not correct on any or all of the above points, feel free to give feedback or ask questions regarding my statements.

Greetings,

Daniel Albuschat

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 86f6a73b-cde4-a960-792e-df0db60f2090
• Version Independent ID: a97c3ad0-dd1d-7212-c70f-15b764e0cbe7
• Content: Android SDK Troubleshooting - Visual Studio App Center
• Content Source: docs/sdk/troubleshooting/android.md
• Service: vs-appcenter-sdk
• Sub-service: app-center-general
• GitHub Login: @lucen-ms
• Microsoft Alias: lucen

[AnastasiaKubova]

Hello! Thanks for getting in touch with us!
We will take into account your suggestions and update the docs.

[wisdeom]

Hi @daniel-kun Thank you for your suggestion. I wanted to check if I understood your suggestion correctly. Please let me know if I got anything wrong or misunderstood. Your suggestion is to cover:

1. With app_secret, data cannot be retrieved.
2. With app_secret, data cannot be overwritten/modified.
3. Exemplary abusive user case scenario: the possible impact on the data flow when app_secret is compromised, the token should be re-created.

Is this correct? and yes, it's write-only. :)

[daniel-kun]

Hello @AnastasiaKubova and @wisdeom!

Thank your for taking my suggestions into account.

@wisdeom The three points that you mentioned are important to know and to be "guaranteed", yes!

But what I find even more important is the fact that the app_secret can not be hidden from the public. Especially because many online blog posts and documentations explain how to "hide" the app_secret from your source-code using CI variables, this becomes very misleading to readers that don't deeply understand what is going on.

What I find important to convey in the documentation, is:

1. You can not hide your app_secret from the public, because it will be contained in your App package (dmg or apk) and can be technically extracted from anyone that installed your app (e.g. with a rooted phone).
2. Using CI variables to "hide" the app_secret only hides it in the source code - which means it hides it from your co-workers, which may be much more trustworthy than the users of your app (except for open-source project, where you hide it from anyone reading your project's source).
3. The use of your app_secret is constrained as you outlined above: The maximum "damage" that can be done with it is sending fake telemetry data
4. Once you notice that your app_secret is used to send fake telemetry (IF you notice it), you can disable the app_secret and create a new one, but this will render your current version of your app unable to send genuine telemetry.

I hope that this is easier to understand. :-)

Greetings from Germany!

Daniel Albuschat

[wisdeom]

@daniel-kun Danke! Good to hear from you. Appreciate your time to elaborate on your points further. 👍 I find it helpful to understand it better now. I'll bring it to the team and discuss internally how we can make improvements. Thanks again!