Fabric.io Twitter凭据安全性

Question

I wasn't sure if I was supposed to ask this here, or in the security stackoverflow page, but I'm sure somebody has a great answer on this.

I'm building an Android app which uses the Fabric.io Twitter package . Using this requires a TWITTER_KEY and a TWITTER_SECRET code. I'm trying to hide them, because that's what they mention when the package is added.

At the moment I'm saving my cridentials in a SharedPreference like this at the beginning of my splash screen activity:

PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).edit().putString("TWITTER_KEY", "xxxxxxxxxxxxxxxxxxxxxxx").commit();

Later, for initializing the Twitter package, I'm recieving them like this:

TwitterAuthConfig authConfig = new TwitterAuthConfig(PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).getString("TWITTER_KEY", "defaultStringIfNothingFound")

I do the same with the TWITTER_SECRET code.

---

I have two questions:

1. What can people achieve if they have access to my keys?
2. Is this safe enough so that other apps can't acces my keys?
3. Is this safe enough for app decompiling?

Thanks for your help!

Answer 1

What can people achieve if they have access to my keys?

I don't know the API so I cannot answer this.

Is this safe enough so that other apps can't acces my keys?

Yes, unless the other app has root permission.

Is this safe enough for app decompiling?

No. But there is little you can do about it. You can make it somewhat harder to find the key but there is no 100% solution if the key is somehow embedded in the app. Whatever the app can do to recover the key can also be done by an attacker.

Btw. why do you store the key in shared preferences?