Encryption Questions

Hi all,

I have a few questions about security/encryption of data with CIQ.

First, if I use an API key in my app, could a user use some sort of proxy or something to steal that code?

Also, when I store data to the watch using Storage.setValue(), is this data encrypted?

Finally, is data encrypted while it is being sent and received from the phone to the watch, or is it unencrypted during this process?

May be silly questions, but I just want to make sure that my data is secure.

Thanks in advance,

Lance

0 SirLancelot over 5 years ago

I ask because I am working on a 3rd party agreement and they want me to verify that I can sufficiently secure their data. Any ideas?

0 jim_m_58 over 5 years ago in reply to SirLancelot

What is "sufficiently secure"? From a phone on out, you'd be using https. But from the device to the phone, a sniffer may be able to see things.

Application.Storage on the device is pretty secure, but it's pretty easy to dump the .set file and see things like a user's APIKEY. Same with dumping the .prg file and looking for a hard coded APIKEY and the url.

And then there is oauth.

0 SirLancelot over 5 years ago in reply to jim_m_58

Thanks for the response Jim!

By sufficiently secure, I mean that the api key remains confidential, and the data from the web site is confidential as well.

So what can I do to make this secure? Is there a way to hide the API key? Finally, how do other developers get around this issue?

Thank you again for all your help! You make it so much easier to develop apps!

Lance

0 sabeard over 5 years ago in reply to SirLancelot

SirLancelot, Viewing the SET and PRG files as Jim mentioned are possible, but do require the device to be plugged into the computer and users doing things that are beyond the "normal" use of the device. While those things might be normal for an app developer, probably less that a few percent of non developers even know or care that they can browse files on the device using their computer. Most of the users just use either Garmin Connect Mobile and/or Garmin Express to sync their device and manage apps. Based on my experience, many don't even want to access settings, just click download and use.

For the general Garmin user, I would suggest that the platform is "sufficiently secure" that you don't have much to worry about. If you need to save things locally it would be best to use the app storage module to save anything. I would not use the properties to save the API key, because as Jim points out, the file where properties are stored is easily viewable in a text editor. So for maximum security target devices with CIQ version greater than 2.4 and don't use the properties to store anything sensitive.

0 SirLancelot over 5 years ago in reply to sabeard

Thank you for the practical perspective, Sabeard!

Also, thank you Jim for your insightful response!

It helps me so much that y’all are both active in the forums, you have helped me solve many problems.

— Lance

0 9256409 over 5 years ago

Anything that is transmitted from the watch (via the phone) can be intercepted. Anything in the app binary can be extracted. I'm currently using burp on my laptop to view all the traffic from my app on my watch, to, for example openweather with my openweather api key visible in the HTTPS session traffic.

If you have an API key that you want to keep secret then you're probably better off having that on a server that you control and then using that to proxy access to the data. Alternatively, you might be able to generate a key pair and use your own scheme to retrieve the API key securely. I'm not sure you can securely save your private key though.

0 jim_m_58 over 5 years ago in reply to SirLancelot

If you are signing a contract, you may want a lawyer to check it for you, as you don't want to be held responsible for some things. They other side may have their lawyer involved.