Is it safe to put sensitive information (e.g. credentials) in application bundle?

I would like to ask if keeping sensitive information inside application bundle is safe? (in other words if sensitive information can't be reverse engineered from application deployed on watch) I found some examples where OAuth2 client_secret was kept inside application code (so, eventually put in the application bundle), but I wonder if this is good practice. I know that this is something definitely not safe regarding Android application, because there everything can be reverse engineered. But maybe Garmin uses some measures which prevents reverse engineering of application bundles?

The first generation of music enabled watches would move a subset of app types to user-inaccessible storage on installation, including music apps. I think watchfaces were the only PRGs which remained accessible to the end user. I think this was done at the request of companies like Spotify, so the private key for their music DRM wasn't exposed to end users.

I think the latest generation of watches hides *all* PRGs, so it's impossible for the end user to access them.

You can easily confirm this for yourself if you have a newer device - \GARMIN\APPS\ should have no PRG files, regardless of whether apps were loaded via the store or by sideloading.

However, this won't help you if you want to support older devices.

And ofc, you still have to trust Garmin with your data. Even if you trust their intentions, you have to rely on the assumption that there aren't any unknown exploits in garmin devices.

FlipStone said:

An option might be to write some personal en- and decryption method. Encode the info with your method outside the prg, put the encoded in the .prg and decode in there using your personal method. The method doesn't have to be hard, just a way to make sure it's not easily readable.

Security through obscurity isn't security. If your data is valuable at all, you should assume an adversary will try to extract it by any means possible.

Thanks for the response. I have a Garmin Forerunner 945 and I can verify that PRG files are included and accessible on device (\GARMIN\APPS) when downloaded from the ConnectIQ Store.

How new of a device is required for the PRG files to be inaccessible?

On  Newer devices, you won't see prg files under garmin/apps.  They are moved to a hidden folder.  The fr955 and fr965 for example

Yeah, as jim_m_58 alluded to, it’s basically the “current generation” of devices which hide *all* PRGs. If I had to guess, I’d say any device which has System 6/7 aka CIQ 4/5. Probably anything on the list of devices with announced support for System 7: [https://forums.garmin.com/developer/connect-iq/b/news-announcements]

945 is a generation behind and 945 LTE is a weird case bc it has similar software to modern devices, but it’s stuck in System 5 (it lacks a GPU and doesn’t support super apps, for example). 

So roughly speaking, any Garmin watch released around 2022 or later should hide all PRGs. Older devices, if they support music, should hide music provider PRGs (and maybe some other app types, but probably not all app types.) Old devices which don’t support music won’t hide any PRGs.

jim_m_58 said:

On  Newer devices, you won't see prg files under garmin/apps.  They are moved to a hidden folder.

Just out of curiosity (I have no watch): there are many programs which enable to make hidden folders visible. Do you mean such kind of hidden folders?

None that I know of on MTP (music) devices.  Music apps were the first to be hidden.