Save Passwords in Secure Storage in your Xamarin app with Essentials

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

when you're working on a mobile app there is a good chance that you're working with passwords or oauth tokens or maybe api keys that you need to store somewhere securely on the user's device so let's learn how to do just that before i'm going to show you how to implement all this goodness i will show you a little bit of the end result so here we have an entry um where i can enter my super secret password so let's just make it password 01 exclamation mark something like that it doesn't have a check if it's secure or not but it's just going to save it securely on the storage so let me just save that right here with the click of this button and then whenever i show it it will pull it from the secure storage and show it here in this alert box which isn't very secure by itself but it is mostly about being stored securely somewhere in between there so let's go check out how to do just that now before we go over to visual studio there's something i want to explain a little bit a little bit about what this can actually be used for because this is kind of like an extension of the examine essentials preferences api which allows you to kind of key value pair set preferences or other small pieces of data that you might want to save for your application but this will do the same thing it's still key value and also um on the dock page is docs page it's noted that you will have to use this for kind of small pieces of string or some other things that you can serialize um but definitely not bigger things so think like the oauth tokens or passwords or other things that you might want to have secure because kind of like the only thing well the only thing this does is save this data in a more secure place on your android ios or uwp file system where it will be encrypted where it will do all these things that other outside users outside people cannot access it even outside of your device or whatnot the implementation details can also be found on the docs page of this api so you can see what is going on it uses the the built-in os encryption keys and mechanisms and so you know it is as safe as apple or google or windows says that it is so that's kind of what you can do with this now there's a couple of scenarios possible you can just save it to save the api key that you use to communicate with your your own rest api maybe um so that it's not readable in your code and and you can you know just on the first launch of your application download that code from somewhere which might not also be very secure but you'll you'll figure it out but you can save that or maybe you can get an oauth token from some social login from facebook or twitter or whatever and that has a certain expiry time maybe 30 days so you can save that there for 30 days and see whenever it's expired you can auto refresh it but you can save that in that secure place so that other people cannot access it now one other scenario that comes to mind is i also have a video on the biometrics plugin which is really cool but the biometrics plugin only does verify if the user is the user that belongs to this device right it only verifies if this face is registered to the device or this thumb print is registered to this device but you still have to take into account the login right so it's it's basically just a shortcut to fill in the the password or the pin code for the user so you will have to save that password or that pin code and you have to do that well you can do that you should do that in the secure storage that i'm going to show you in a little bit here so you can perfectly combine that with that biometric video that i put out there and then whenever the fingerprint or the face is verified you can pull out that password from the secure storage and input that for the user automatically so that's a bit of background that i wanted to give you there's one other big note for android specifically android has this auto backup going on um i think from api level 23 and up it's noted in the documentation which the link is down below so be sure to check that out and if your app goes through the auto backup um then whenever the user restores their app on a different device then the encryption keys have changed and your secrets might not be retrieved anymore so that is definitely a scenario that you want to take into account here so be sure to check the documentation on that and build something in your app to circumvent those scenarios or just take it into account i think if a key is not found it will just throw an exception so whenever that happens just re-authenticate the user or trigger another way to get the secret that you were actually trying to get from the user okay now without further further any ado let's just quickly hop into code and show you how this api actually works okay so here we are in visual studio for mac 2019 um you can see on the left a file new examine forms application that i've just created for this um you can see the example page right here and it's running on the ios simulator on the right now like i've already mentioned this is supported for ios android uwp and they all have their own implementation i'm going to show you this for ios i think android has a little bit of platform specific setup that you might need to do for ios i found it the most um complicated which is still not very complicated but we'll see that in a little bit so that's why i'm showing you this on ios i'm sure you can figure out the other ones and i'm just going to show you how simple actually this api works so at the time of recording we just released ios 15 and xcode well apple just released that and a little bug snuck in with hot reload so the hot reload won't be working like it regularly does in other videos so i'm going to update the title here but it's not going to automatically update on the running application here but we're going to talk about secure storage sample right here so let's save that and i'm going to implement a very simple ui which will just take a string which should be a password and a button to actually save that right so let's just remove all of this and i'm going to add this entry give it an x name so i can reference it in the code behind let's call it password and let's give it a margin so that it looks a little bit nicer just a little bit nicer and let's add a button under that with a text that's called save and a clicked handler that will be generated well actually there is one probably from a rehearsal that i did just now and let's just do it like that so i'm going to save this we have a button and a entry box so let's see how we can save the value from that entry in the secure storage but again if you do some kind of oauth flow you will get the token from like a third-party provider and you don't have to have the user input anything basically you will just grab that token and do the rest programmatically what i'm going to show you right now so let's go to our code behind for this page in our solution to the shared project mainpage.example.com and here is our button clicked handler and if we now go to xamarin.essentials.securestorage and see all the apis that are in here we have a couple of those the get async so that gets a value by the key and you can only get strings so whatever you want to save here it has to be convertible to a string which can be a lot of things of course but i already mentioned it should be like simple values not too long else it can take a long while because it has to be encrypted decrypted those kinds of things so you don't want to take it too long so this will just get a value by the key that you give it you can remove a certain key so maybe something has expired or maybe you don't need something anymore just remove it you can remove all which basically clears out the whole store and removes all the things in here and you can of course do set async so you can provide a key and a value which is then going to be stored in the secure storage so first let's do the set async because we are doing this on the button click which is going to be a save thing you have to come up with a key the key is probably something that you want to define globally in your application right now i'm just going to do password and i'm going to set that to the value of password dot text there we go and it's set async so i should do await and then for my button clicked handler i should make it async and whenever i do that it should store my password in the password field in the secure storage now let's also maybe let's add another button which is super very not so secure but i'm going to copy and paste this and i'm going to call this show i am going to generate a new clicked handler here button click one very descriptive let's go back to our code behind and now let's do a wait weight display alert so it's just going to alert to me the value that is in the password field in this case so title your password is you can see it's very secure the actual message i'm gonna get back to that one in a little bit and the string cancels so let's make that okay and i should make this a sync as well um so we're going to get the value and actually let's make this for our password is xamarin.essentials.securestorage.getasync and i think like i mentioned earlier that this is going to throw an exception whenever the key is not there so that might be an interesting use case here get a sync password and i should wrap this then in a try let's see catch and then i need to make this a little bit different um let's make this string password is nothing and so this way we can see what's going on so this is this is this will be nice okay so let's make it this and we should make this a wait as well and then with the cache let's make the password is nothing yet so now we know whenever a exception happens it will set it to nothing yet and we will know that it actually throws this exception whenever that's the case and then we can just set here the password okay so there we go now with the button clicked this should be all good this is good good good yeah i think we're ready to restart the application well actually not quite yet let me stop this right here because i mentioned that we need to do something for ios specifically so let's go into the solution explorer and the ios project and here you have the entitlements p list we don't touch this very often but this is the entitlements that you need for your application and there's something funny going on for the secure storage but only when you're running it on the simulator on your local device you will need an entitlement to access your keychain on your device um i i imagine on mac os so it actually like mimics the secure storage by storing it in the secure storage of your mac if that makes sense so we're going to have to do this entitlement right here or maybe it's the keychain it's called the same thing on ios so i'm not sure how this entirely works under the hood but kind of like the important thing for you is that the entitlement is only needed for debugging purposes when using the simulator on the actual device or when you're actually going to release this to the app store this is not needed now i will i will touch upon that in a little bit but for now let's open the entitlements plist you will get this list of properties which is not very helpful unless you want to add a key the hard way but here down at the bottom we also have this entitlements view in visual studio and here you can see a list of like all the default entitlements that are there and let's scroll down to where is it where is it enable keychain here we go so enable keychain click that and you can see that it adds a keychain group now if you want to do more advanced stuff with this you have to dig into the keychain groups and see what's going on here but automatically it will add for you like the bundle identifier which is the identifier of your app in this entitlements plist and this should be all that is needed so this is one thing now the other thing is kind of interesting we can close this entitlements plist file then go back to the solution and right click on the ios project and go into the options now if you're doing this on visual studio for windows it will look very similarly but if you go to the project you have to right click and do properties i think but the option should all be there it just looks a little bit different you can figure it out and then in this new window right here you're going to go to ios bundle signing and you can see that this is kind of specific here at the top depending on your configuration so you can specify different configuration here depending on if it's a debug or a release build or the iphone simulator or the actual iphone platform so here you can specify it for debug and iphone simulator you can say custom entitlements and i can just click on this browse button and click the entitlements plist and say ok and this should set it for only like the debug and iphone simulator configuration so this won't affect kind of like whenever you take this to the app store because there it's not needed and it might even give you um an error if you actually do so also if you don't set this whenever you're running your app and you try to save or get a value it will also show an exception throw an exception saying that you don't have the right entitlements so if that's the case then you know what to do right now so let's do okay and actually let's start the application then now it should come back up it should show our new fancy interface with the entry and the button and i should be able to enter some value there click the save button and then also click the other button to actually get the password again actually let's first click the show button to see what's going on there because that's going to be interesting okay so this is actually not what i expected your password is nothing while i would expect it but i definitely read it wrong in the documentation that it would throw an exception so i guess it throws an exception whenever the encryption keys are wrong now so whenever something can be decrypted or something else is wrong but if you just try to get a key well a value for a key that doesn't exist it will just give you an empty string so that's what's happening here now you know so okay so let's do the other one and actually let's do this um what should be my super secret password sub scribe to my channel one two three maybe let's make something like that maybe you have a channel on youtube that you want to subscribe to um okay let's save that so let's just click save i don't have any feedback here but i'm going to trust that this set async happened and actually i can show it immediately by clicking the show button now and you can see that it pulls out um that from like the secure storage um subscribe to my channel one two three so it gets it and of course you know whenever you kill the application and you go back in here i would expect it to again get my secure kind of thing right here so you can see it still gets my password from the secure storage and that is basically the one-liner how you can add values to secure storage and get them from them as well and i'm sure you can figure out how to use the remove and remove all calls from here as well so yeah now you know how to secure storage all the things that need to be stored securely i think this api is very similar or maybe even identical to the xamarin essentials preferences api and it's it's just a couple of one-liners which stores some key value pairs so you know it's not very complex it should be very easy to implement and now you know how to do it check out the documentation i've mentioned it a couple of times before because it's one of those things that you want to get right definitely because this is something important and there is a few things that you want to need to know here especially maybe about the implementation details and how everything is actually encrypted um or you know maybe you don't trust this stuff and you're going to build your own encryption thing um that's fine as well but now at least you know how to do it through examined essentials as always this code can be found up on github so find the link for that and a lot of other links down below in the video description and other than that thank you so much for watching again one of my videos please click that like button if you've actually enjoyed watching this video and want to spread this love through the rest of youtube where other people can find it as well because that is ultimately what that like button does and if you enjoy this channel and maybe you haven't subscribed yet go check out that subscribe button if it is lit up yes or no and if not just click it maybe ding that little bell so you'll be notified of new content automatically you don't have to do anything for it just sit back and let me come to you and of course i'll be seeing you for my next video keep coding [Music]

Info

Channel: Gerald Versluis

Views: 1,839

Rating: undefined out of 5

Keywords: xamarin forms 101, xamarin 101, xamarin.forms 101, xamarin.forms 5.0, xamarin forms 5, Xamarin Essentials, Secure Storage, xamarin secure storage ios, xamarin tutorial, xamarin tutorial for beginners, xamarin forms tutorial, xamarin forms, .NET MAUI, dotnet maui, maui essentials, Xamarin Encrypted Storage, oauth token storage, api key store, xamarin essentials 1.7, secure data storage, xamarin forms tutorial for beginners step by step, xamarin forms tutorial for beginners

Id: UmfR5FHENE8

Channel Id: undefined

Length: 17min 11sec (1031 seconds)

Published: Thu Oct 07 2021