Background
Following a security discussion about mobile SDKs, we need to add support for server-side signature generation to prevent shipping secrets in Android apps.
See this Slack thread for full context.
The Problem
Currently, if customers use signature authentication with the Android SDK, they need to bundle their secret key with the app. This is a security risk because:
- APK files can be decompiled to extract secrets
- Even without rooting, users can inspect HTTPS traffic using proxy tools (Charles, Proxyman, etc.) by installing custom certificates
- Once a secret is compromised, the entire account is at risk
Proposed Solution
As discussed with @donnywals, the SDK should support signature injection - allowing customers to pass pre-generated signatures instead of computing them client-side:
// Instead of this (shipping secret in app):
val client = TransloaditClient(key = "...", secret = "DANGEROUS")
// Support this pattern:
val client = TransloaditClient(key = "...")
val signature = fetchSignatureFromBackend(assemblyParams) // Customer implements this
client.createAssembly(params, signature = signature)
Implementation Requirements
- Allow passing pre-generated signatures to API calls
- Keep existing signature generation for backward compatibility (with security warnings in docs)
- Clear documentation showing the secure implementation pattern:
- Mobile App → Customer Backend (validates request) → Returns signature
- Mobile App → Transloadit API (with signature)
Benefits
- Secrets never leave the customer's backend
- Customers can implement their own auth/rate limiting/validation logic
- Enables request-specific authorization
- Aligns with mobile security best practices
Security Considerations
While this doesn't eliminate all attack vectors (e.g., replay attacks to the signing endpoint), it significantly raises the security bar by:
- Keeping secrets off devices entirely
- Allowing backend-side session validation
- Enabling customer-specific security controls
References
Related discussion in iOS SDK: transloadit/TransloaditKit#42
Background
Following a security discussion about mobile SDKs, we need to add support for server-side signature generation to prevent shipping secrets in Android apps.
See this Slack thread for full context.
The Problem
Currently, if customers use signature authentication with the Android SDK, they need to bundle their secret key with the app. This is a security risk because:
Proposed Solution
As discussed with @donnywals, the SDK should support signature injection - allowing customers to pass pre-generated signatures instead of computing them client-side:
Implementation Requirements
Benefits
Security Considerations
While this doesn't eliminate all attack vectors (e.g., replay attacks to the signing endpoint), it significantly raises the security bar by:
References
Related discussion in iOS SDK: transloadit/TransloaditKit#42