We are having a security concern for our android app which we think might be faced for any andriod app which is accessing kinvey as back end, the issue is that we have to store the app secret in the code in order to be able to access Kinvey app, as you know apk for the app can be unpacked to reveal the app key and app secret to anyone..

we are trying to encapsulate this in the back end and to retrieve the app secret while login using REST and retrieving the app secret within the login request from a collection which stores our app secret, but we are not able to do such while user registration or while facebook login..



Please tell us if there is a way to do this or any other way in order not to store the app secret in the code.

Hey,



It should be OK to package your app key/secret within your application. These credentials can only be used to create new users (and ping your backend), and we have other mechanisms for controlling user creation. If you want to restrict account creation, you can use email verification: http://devcenter.kinvey.com/android/guides/users#emailverification



and you can also set BL on the user collection to act on the user create operation, allowing for any other validation that might be necessary. (set a collection hook on presave in the user collection) http://devcenter.kinvey.com/android/guides/business-logic#collection-hooks



This means that even if a malicious party can access your app secret, they can only really use it to create new user accounts-- and you can run custom logic to restrict this.