React-native-code-push: Install docs leak deployment keys
https://github.com/search?l=java&q=new+CodePush&ref=searchresults&type=Code
Install docs are encouraging release of deployment keys. Am I missing something here? That can't be good.
ghost
All 6 comments
Closing to decrease visibility.
ghost
on 21 Jul 2016
(edited for clarity, as my initial phrasing was confusing)
@jhabdas: The deployment key only gives access to the latest version of the source that was explicitly released on that deployment, and hence it's only as secret as the source is. For apps that are open source to begin with, this is a non-issue. For apps that are closed source, the deployment key won't be visible to you.
Of course, if you have the app installed on your device, as RN uses client-side languages it is possible to reverse engineer it to get the deployment key, but if you have that capability then you already have the ability to get the source, and the deployment key doesn't give you anything extra.
We can certainly change the install docs to encourage loading it from a config file or the like, but my intuition is that it doesn't matter too much. I'm happy to hear your thoughts though - does this make sense to you?
silhouettes
on 22 Jul 2016
@silhouettes Native apps have the benefit of security through obscurity. While it may be possible to access the source code of an RN app by snooping, it seems to me it'd be much harder than, say, a web application. But access to the source is not my primary concern, it's the possibility of overwriting someone's app once you know their key. If that's possible, even in a beta stage, I'd strongly suggest updating the docs to warn users and provide a method for abstracting secrets away into an environment variable or config outside the application. What do you think?
ghost
on 22 Jul 2016
Ah, I see where your concern is. No, a deployment key doesn't give you any kind of ability to write to the deployment, it only gives you the ability to download the latest update on that deployment (read-only access). In some of our early mockups, you'd even email the deployment key to beta testers who you wanted to install your app. Basically, if you have access to view the source of an app, you already have access to everything the deployment key would give you.
Being able to publish updates to the deployment, on the other hand, requires you to have access to the developer's account on CodePush, which requires either OAuth credentials or a separate 'access key' credential for the CLI that is never used anywhere in our SDK's.
Does that make sense to you?
silhouettes
on 22 Jul 2016
I realized my initial comment was kind of confusing/misleading, so I tidied it up a bit! If you still have concerns, please let me know.
silhouettes
on 22 Jul 2016
@silhouettes yes, and thanks for helping me get past that concern!
ghost
on 22 Jul 2016
Related issues
SudoPlz
路
4Comments
quanzaiyu
路
3Comments
DeDuckProject
路
3Comments
sergey-akhalkov
路
4Comments
EdmundMai
路
4Comments
Most helpful comment
Ah, I see where your concern is. No, a deployment key doesn't give you any kind of ability to write to the deployment, it only gives you the ability to download the latest update on that deployment (read-only access). In some of our early mockups, you'd even email the deployment key to beta testers who you wanted to install your app. Basically, if you have access to view the source of an app, you already have access to everything the deployment key would give you.
Being able to publish updates to the deployment, on the other hand, requires you to have access to the developer's account on CodePush, which requires either OAuth credentials or a separate 'access key' credential for the CLI that is never used anywhere in our SDK's.
Does that make sense to you?