-
Notifications
You must be signed in to change notification settings - Fork 320
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security of "app_secret" #1282
Comments
Hello! Thanks for getting in touch with us! |
Hi @daniel-kun Thank you for your suggestion. I wanted to check if I understood your suggestion correctly. Please let me know if I got anything wrong or misunderstood. Your suggestion is to cover:
Is this correct? and yes, it's write-only. :) |
Hello @AnastasiaKubova and @wisdeom! Thank your for taking my suggestions into account. @wisdeom The three points that you mentioned are important to know and to be "guaranteed", yes! But what I find even more important is the fact that the What I find important to convey in the documentation, is:
I hope that this is easier to understand. :-) Greetings from Germany! Daniel Albuschat |
@daniel-kun Danke! Good to hear from you. Appreciate your time to elaborate on your points further. 👍 I find it helpful to understand it better now. I'll bring it to the team and discuss internally how we can make improvements. Thanks again! |
Dear app center docs team,
I have feedback regarding the section "Protect the App Center secret value".
I think that the section could be rephrased to clearly - and in easy to understand terms - state the technical facts:
app_secret
to the device of your users without those users being able to retrieve it. Even on iOS, which is a very locked-down system, it is possible (and not even so difficult) to extract theapp_secret
from your app, no matter what you do. This is not a limitation of App Center Analytics, but a limitation of the fundamental concepts of operating systems and app distribution systems.app_secret
and send analytics data to your analytics "bucket" without limitation, and without you being able to distuingish it from "real" analytics data.app_secret
and render the oldapp_secret
useless. b) redeploy your app with the newapp_secret
. It is important to note that your "old" app will not be able to send analytics until the end-user has updated to the new version.app_secret
to retrieve the analytics data. The access is "write-only" (at least, I hope this is the case :-))app_secret
in your code base - so that every developer that has read-access to the code base can more easily extract it than it would be to extract from the final app image - you can use use CI/CD environment variables to import it into your code base with means of your programming language and CI/CD environment.If I am not correct on any or all of the above points, feel free to give feedback or ask questions regarding my statements.
Greetings,
Daniel Albuschat
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: