I have a platform for building real-time local apps called Bashoto and I am going to build an Android client.
Bashoto applications have the option of being authenticated which is done via generating a one-time use, expiring JSON Web Token (JWT for short) with the application token and a signature to verify that the token is valid. Each connection will have a unique JWT that is generated by signing the content with a Secret.
In a web environment, this means that the client backend has a copy of the Secret, signs the token and passes it to the client front-end which is then used in a request to the BashotoIO server.
The problem here in the mobile environment, and in this case Android, is that keeping that Secret in the application code itself is a potential attack vector, since someone can inspect the APK to find it.
What is the best way to truly keep the Secret secret in an Android application, while still keeping the Bashoto integration simple and streamlined?
I would like the usage to look something like this
Bashoto bashoto = Bashoto.fromAppKey("my-app-key");
bashoto.locate();
BashotoTopic topic = bashoto.topic("my-topic-name"); //token signing and connection happens here
topic.send("Some message that only gets seen by nearby people");
