Hi Team,
I am runing an adnroid application with Revenuecat sdk. We received a report from a guy regarding the storage of Revenuecat authetication token. Is it possible for him to cause any critical damage using that api key??
Best Regards,
SHlok K
Solved
Is it possible for a hacker to cause damage by knowing only the Authentication token or API key?
+1Best answer by Jens
Hi
Firstly, there are two types of API keys that you can create in the RevenueCat dashboard: public keys and secret keys.
Public API keys are intended to be used in the SDK. They can’t be used to cause any damage: they can’t be used to read sensitive information such as subscriber attributes, and the only write access that they have is to upload purchases from the SDK, but these purchases are then validated on the backend side directly with the app store (in this case, Google Play Store), and any invalid purchases that an attacker would try to post will be discarded. The only consideration, security-wise, with public API keys is that they could be used to read the entitlement status for any user ID that an attacker knows. For this reason, we recommend using non-guessable user IDs.
Secret API keys are intended to be used from your backend and should never be embedded in your SDK. They can make modifications to the subscription status (e.g., granting promotional entitlements). However, the SDK will throw an error when you try to initialize it using a secret key, so it’s unlikely that you accidentally embedded a secret API key.
The last kind of authentication token is the authentication token used by the dashboard (web application), which is stored in your browser after you log in – I don’t think you are talking about this token in this context.
This post has been closed for comments
+7Hi
Firstly, there are two types of API keys that you can create in the RevenueCat dashboard: public keys and secret keys.
Public API keys are intended to be used in the SDK. They can’t be used to cause any damage: they can’t be used to read sensitive information such as subscriber attributes, and the only write access that they have is to upload purchases from the SDK, but these purchases are then validated on the backend side directly with the app store (in this case, Google Play Store), and any invalid purchases that an attacker would try to post will be discarded. The only consideration, security-wise, with public API keys is that they could be used to read the entitlement status for any user ID that an attacker knows. For this reason, we recommend using non-guessable user IDs.
Secret API keys are intended to be used from your backend and should never be embedded in your SDK. They can make modifications to the subscription status (e.g., granting promotional entitlements). However, the SDK will throw an error when you try to initialize it using a secret key, so it’s unlikely that you accidentally embedded a secret API key.
The last kind of authentication token is the authentication token used by the dashboard (web application), which is stored in your browser after you log in – I don’t think you are talking about this token in this context.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.