Key exfiltration via decompilation

Build the key based on the device ID.

I use the device id to “log in” to a website. These changes user has to register their device on the website.

If I understand what he wants to do it's not what device id is for. Device if identifies the device (kind of the user), but if I know your API I can easily generate another UUID and use your API. What he tries to prevent is exactly this, that only the app built by him should be able to use the api

Well maybe it's an X/Y question? If that's what he meant on client authentication, then you're right

In my widget, I include the unique id as a URL parameter.

If it it’s new/unknown, I have the user register (authenticate) it.

TL;DR in some cases it may be impossible for end users to get their hands on your PRG in the first place.

As far as I know, on newer watches (i.e. devices which are still receiving firmware updates, starting with FR255/Fenix 7 and newer watches), no PRG files are available to the end user via the file system. (For the purpose of this comment I will refer to these PRGs as "hidden", although they are *completely* inaccessible to the end user, not simply hidden in a way that they could be revealed somehow.) 

On all watches which support music, even older watches, all music provider PRGs are hidden (and a couple of other app types maybe also be hidden). It was in fact with the introduction of music provider apps that Garmin started hiding PRGs (initially they only hid music providers). 

Not sure what the exact situation is for Edge, except that some very new Edge models use MTP instead of USB Mass Storage, and it's possible that PRG files are hidden for these devices too. (All watches which support music use MTP, and all watches which support music hide PRGs for at least some app types. I'm guessing -- but not 100% sure -- that the rare modern Garmin watches which don't support music still use MTP anyway, and still hide PRGs for all app types.)

I would guess that any device which supports monetization would mostly likely hide all PRG files. For some context, certain currently supported Garmin watches like FR955 only hid PRGs for certain app types, on release. Then at some point, *all* app types were hidden via a firmware update. Some time later, monetization was announced. I don't think that's a coincidence.

So depending on which devices you support, you may not even have to worry about end users decompiling PRG files since it would very hard or impossible for them to get their hands on your PRG in the first place.

But since you asked, here's a PRG parser:

https://github.com/pzl/ciqdb 

> Would a modest amount of obfuscation suffice to protect a secret?

I think you know what the answer is, in general.

If your secret is valuable at all, then no amount of obfuscation is sufficient. It's like asking if it's ok to post your secrets on github as long as you obfuscate with rot13 or base64.

The Fenix 8 (at least) lets you choose MTP and “regular” USB.

dpawlyk said:

The Fenix 8 (at least) lets you choose MTP and “regular” USB.

Interesting. So you can choose between MTP and Mass Storage? I wasn't aware that was a possibility on any Garmin device.

Or do you mean you have the following option in settings...

System > USB Mode, where the 2 options are MTP (default) and Garmin

.. and if you choose Garmin, then when you plug your watch into a computer, it prompts you to go into MTP mode (your choices are yes or no)?

If you just mean it prompts you to go into MTP mode, then at least on every MTP watch I've ever used, answering no doesn't put you in mass storage mode, but just in a mode where it charges and maybe you can use certain older Garmin apps (not Garmin Express tho, afaik).

I looked at the Fenix 8 manual, and it looks like the USB Mode setting is still just MTP and "Garmin" mode.

Note that for older watches which used USB Mass Storage, the 2 options were literally USB Mass Storage and Garmin mode.

To be clear, USB Mass Storage is the mode where you have direct access to the device's file system via USB. Contrast with MTP, where you don't get direct access but everything is mediated through the MTP protocol. One pro of MTP is that all file operations are atomic, so there's no need to eject/safely remove the device. One con is that file operations are super slow. Another con is that MacOS doesn't have native support for MTP - you have to use 3rd party software.

If Garmin has literally added USB Mass Storage back into its newer watches, that would be pretty surprising to me.

I might not be entirely right about it. 

MTP is pretty weird. 

If you have a Mac, it's easy to tell whether a device supports USB Mass Storage. Plug your watch in via USB and see if it auto-mounts and is available in Finder. If not, then it's not using USB Mass Storage.

Even in Windows, there are some tells to see if a device has been mounted via MTP or USB Mass Storage.

In the case of MTP, you will typically not be able to "directly" open a file in the (apparent) "mounted drive" from File Explorer. Depending on the associated app, opening the file will either fail, or a copy with a slightly different filename will be automatically made (in the Internet Explorer temp files directory, of all places) and opened instead. Another tell is that right click > New... (to create a new file) is unavailable. There's also the fact that you won't get the "safely remove hardware" or "eject" options for the "drive", and when you view the properties of the "drive" in File Explorer, it won't report a file system like NTFS or FAT32, but instead it will show the model and manufacturer of the device.

Whereas with USB Mass Storage:

- File Explorer supports right click > New... (to create a new file)

- You can directly open files from file explorer 

- The drive properties will show a file system

- You will have the option to eject or safely remove the drive