• Replies 15 replies
  • Subscribers 21 subscribers
  • Views 2511 views
  • Users 0 members are here
Options
Related

Is it safe to put sensitive information (e.g. credentials) in application bundle?

o-l-o
over 7 years ago
I would like to ask if keeping sensitive information inside application bundle is safe? (in other words if sensitive information can't be reverse engineered from application deployed on watch) I found some examples where OAuth2 client_secret was kept inside application code (so, eventually put in the application bundle), but I wonder if this is good practice. I know that this is something definitely not safe regarding Android application, because there everything can be reverse engineered. But maybe Garmin uses some measures which prevents reverse engineering of application bundles?
  • over 7 years ago
    o-l-o,

    Thanks for the question. There is not really any security for the credentials if you hard code them into the PRG. I will see if there is some sort of workaround that can be used with my engineers and let you know.

    Thanks,
    - Coleman
  • over 7 years ago
    Coleman,

    Thanks for the answer. I would be grateful for any advice.

    BR,
    Olo
  • over 7 years ago
    I would like to ask if keeping sensitive information inside application bundle is safe? (in other words if sensitive information can't be reverse engineered from application deployed on watch) I found some examples where OAuth2 client_secret was kept inside application code (so, eventually put in the application bundle), but I wonder if this is good practice. I know that this is something definitely not safe regarding Android application, because there everything can be reverse engineered. But maybe Garmin uses some measures which prevents reverse engineering of application bundles?


    Perhaps a first way to check is build a test application for the self and see if you can find/read it in the resulting .prg file... (Just open it with a hex-editor).

    An option might be to write some personal en- and decryption method. Encode the info with your method outside the prg, put the encoded in the .prg and decode in there using your personal method. The method doesn't have to be hard, just a way to make sure it's not easily readable.
  • over 1 year ago

    Reviving an old post, but did you ever get an answer for this?

  • over 1 year ago in reply to Nullceptional

    The first generation of music enabled watches would move a subset of app types to user-inaccessible storage on installation, including music apps. I think watchfaces were the only PRGs which remained accessible to the end user. I think this was done at the request of companies like Spotify, so the private key for their music DRM wasn't exposed to end users.

    I think the latest generation of watches hides *all* PRGs, so it's impossible for the end user to access them.

    You can easily confirm this for yourself if you have a newer device - \GARMIN\APPS\ should have no PRG files, regardless of whether apps were loaded via the store or by sideloading.

    However, this won't help you if you want to support older devices.

    And ofc, you still have to trust Garmin with your data. Even if you trust their intentions, you have to rely on the assumption that there aren't any unknown exploits in garmin devices.

    FlipStone said:
    An option might be to write some personal en- and decryption method. Encode the info with your method outside the prg, put the encoded in the .prg and decode in there using your personal method. The method doesn't have to be hard, just a way to make sure it's not easily readable.

    Security through obscurity isn't security. If your data is valuable at all, you should assume an adversary will try to extract it by any means possible.

  • over 1 year ago in reply to FlowState

    Thanks for the response. I have a Garmin Forerunner 945 and I can verify that PRG files are included and accessible on device (\GARMIN\APPS) when downloaded from the ConnectIQ Store.

    How new of a device is required for the PRG files to be inaccessible?

  • over 1 year ago in reply to Nullceptional

    On  Newer devices, you won't see prg files under garmin/apps.  They are moved to a hidden folder.  The fr955 and fr965 for example

  • over 1 year ago in reply to Nullceptional

    Yeah, as jim_m_58 alluded to, it’s basically the “current generation” of devices which hide *all* PRGs. If I had to guess, I’d say any device which has System 6/7 aka CIQ 4/5. Probably anything on the list of devices with announced support for System 7: [https://forums.garmin.com/developer/connect-iq/b/news-announcements]

    945 is a generation behind and 945 LTE is a weird case bc it has similar software to modern devices, but it’s stuck in System 5 (it lacks a GPU and doesn’t support super apps, for example). 

    So roughly speaking, any Garmin watch released around 2022 or later should hide all PRGs. Older devices, if they support music, should hide music provider PRGs (and maybe some other app types, but probably not all app types.) Old devices which don’t support music won’t hide any PRGs.

  • over 1 year ago in reply to jim_m_58
    jim_m_58 said:
    On  Newer devices, you won't see prg files under garmin/apps.  They are moved to a hidden folder.

    Just out of curiosity (I have no watch): there are many programs which enable to make hidden folders visible. Do you mean such kind of hidden folders?

  • over 1 year ago in reply to mcinner1

    None that I know of on MTP (music) devices.  Music apps were the first to be hidden.