App Keys & Secrets: Security

In order for your app to communicate with the Urban Airship API it must use a key and secret combination that authenticates it to your Urban Airship app setup. These keys are generated automatically when you create an app in our dashboard, and you manually copy them into your iOS, Android/Amazon or Windows app configuration. Since app bundles are fundamentally considered insecure (they can be decompiled), this key and secret combination limits the APIs that your device can communicate with. This allows the device to modify tags, and aliases for a specific Channel, device token, APID or Pin, and nothing more.

Push addresses/tokens are sufficiently random that they can be considered obscure, and the associated data is low risk. We employ additional security on our servers to monitor for abuse. Tags and aliases should be considered obscure, however they are trusted APIs for devices to access so you should not place sensitive information in a tag or alias.

We generate one additional piece of data called the Master Secret, which is used to do all communication with our wider APIs. The Master Secret should never be placed in an app bundle, nor released to the public. This is the secret you use to authenticate requests to our server for generating pushes, rich app pages, and more.

Definitions

App Key

Urban Airship-generated string identifying the app setup. Used in the application bundle. Only available via go.urbanairship.com after logging into your account.

App Secret

Urban Airship-generated string identifying the app setup secret. Used in the application bundle. Only available via go.urbanairship.com after logging into your account.

Master Secret

Urban Airship-generated string used for server-to-server API access. This secret must never be shared or placed in an application bundle. Only available via go.urbanairship.com after logging into your account.

Partner Secret

Urban Airship-generated string used for server-to-server API access to create and manage applications for partner integrations. This should never be shared or placed in an application bundle. Only available through manual channels.

User ID

Urban Airship-generated string passed back to devices and stored in the device keychain for authenticating user-related device API actions when paired with the Password. This is not the same as your Urban Airship Web Portal (go.urbanairship.com) Login.

Password

Urban Airship generated string passed back to devices and stored in the device keychain for authenticating User related device API actions when paired with the User ID. This is not the same as your website (go.urbanairship.com) password.

Push Address or Token

A unique proprietary string generated by device vendors (Apple, Google, Windows, Amazon) for identifying an addressable push device. This is passed back to the device via vendor specific APIs and then stored by Urban Airship for addressing push messages and authenticating push related APIs.

Web Portal Login

The User ID and Password used by an Urban Airship customer to log in to the Urban Airship portal to configure apps, manually send pushes through Push Composer, view Reports, etc. This is listed for clarity here as it is different from the User ID and Password listed above. The Web Portal is located at go.urbanairship.com.

API Authentication Map

API Feature Create Read Update Delete
Tags App Key/Secret & Token Single: App Key/Secret & Token Enumerate: App Key/Secret App Key/Secret & Token Single from Device: App Key/Secret & Token All tags, all devices: Master Secret
Alias App Key/Secret & Token Single: App Key/Secret & Token Enumerate: N/A App Key/Secret & Token App Key/Secret & Token
Device Token/APID/PIN Registration App Key/Secret & Token Single: App Key/Secret & Token Enumerate: Master Secret App Key/Secret & Token App Key/Secret & Token (marks inactive)
Push Message Master Secret* (unless push from device feature Scheduled Push: Master Secret Scheduled Push: Master Secret Scheduled Push: Master Secret
Rich Push Message App Key/Master Secret User ID/Password N/A User ID/Password
User App Key/Master Secret Single: User ID/Password or Master Secret Enumerate: Master Secret User ID/Password or Master Secret User ID/Master Secret* (marks inactive)
Partner API Partner Key/Secret* (only available to partners) Partner Key/Secret Partner Key/Secret Partner Key/Secret

Tag & Alias Security

Tags and aliases are considered obscure, but not secure in our system. We recommend that you not use them to store sensitive information. The obscurity varies by platform, as push addresses/tokens are a different format for each vendor (Apple, Google, Microsoft, Amazon). Typically these are UUIDs or similar, but this is not guaranteed and should be considered proprietary in nature. In order to gain access to a specific device’s tags or aliases from an unauthorized source you would need to guess the push identifier, which is mathematically improbable, or obtain it by other means.

Given that certain tag operations can be completed without the master secret it is possible for a user, with the app key, secret and push address, to list tags for an app and subscribe or unsubscribe themselves to those tags. Please be aware of this as you plan your own usage of the tag API.